#5412 lookup-domain flagged as insecure dependency in procmail

[rj elleray]

Hi,

whilst checking for an smtp auht failure i 'happened' to look at the procmail log.

several times, when a valid user mail is received, there are the following two lines:-

Insecure dependency in exec while running with -T switch at /etc/webmin/virtual-server/lookup-domain.pl line 19.
procmail: Program failure (255) of "/etc/webmin/virtual-server/lookup-domain.pl"

procmail config is

LOGFILE=/var/log/procmail.log
TRAP=/etc/webmin/virtual-server/procmail-logger.pl
:0wi
VIRTUALMIN=|/etc/webmin/virtual-server/lookup-domain.pl --exitcode 75 $LOGNAME
EXITCODE=$?
:0
* ?/bin/test "$EXITCODE" = "75"
/dev/null
EXITCODE=0
:0
* ?/bin/test "$VIRTUALMIN" != ""
{
INCLUDERC=/etc/webmin/virtual-server/procmail/$VIRTUALMIN
}
ORGMAIL=/var/mail/$LOGNAME
DEFAULT=/var/mail/$LOGNAME
DROPPRIVS=yes
:0wf
| /usr/bin/spamassassin

The mail is delivered to the recipients mail box (Spam asssin tests are passed ok)

Shouldn't I be worried about this ?
d.

[rj elleray]

doh !
forgot to add CentOS Linux 7.8.2003, Virtualmin version 6.08 and Webmin version 1.955
d

[Jamie Cameron]

That's an odd error. What does /etc/webmin/virtual-server/lookup-domain.pl contain on your system?

[rj elleray]

Jamie, Hi.

cat /etc/webmin/virtual-server/lookup-domain.pl
#!/usr/bin/perl
delete($ENV{'IFS'});
delete($ENV{'CDPATH'});
delete($ENV{'ENV'});
delete($ENV{'BASH_ENV'});
$ENV{'PATH'} = '/bin:/usr/bin';
$< = $>;
$( = $);
open(CONF, "/etc/webmin/miniserv.conf") || die "Failed to open /etc/webmin/miniserv.conf : $!";
while(<CONF>) {
        $root = $1 if (/^root=(.*)/);
        }
close(CONF);
$root || die "No root= line found in /etc/webmin/miniserv.conf";
$ENV{'PERLLIB'} = "$root";
$ENV{'WEBMIN_CONFIG'} = "/etc/webmin";
$ENV{'WEBMIN_VAR'} = "/var/webmin";
chdir("$root/virtual-server");
exec("$root/virtual-server/lookup-domain.pl", @ARGV) || die "Failed to run $root/virtual-server/lookup-domain.pl : $!";

perl 5, version 16, subversion 3 (v5.16.3)

[Jamie Cameron]

That looks fine to me.

What are the permissions on the /usr/bin/procmail command on your system?

[rj elleray]

Jamie
-rwsr-sr-x 1 root root 107984 Nov 28 2017 /usr/bin/procmail
d

[Jamie Cameron]

Also, what output do you get from grep mailbox_command /etc/postfix/main.cf

It should be like :

mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME

[rj elleray]

James

mailbox_command = /usr/bin/procmail

not changed by me from original.

d

[Jamie Cameron]

Ok, that's the probem. Assuming that /usr/bin/procmail-wrapper exists, try changing that line to what I suggested, then restarting Postfix.

[rj elleray]

it may be but no /usr/bin/procmail-wrapper !

[Ilia]

-rwsr-sr-x 1 root root 107984 Nov 28 2017 /usr/bin/procmail

These are not standard permissions for /usr/bin/procmail . I think it was set by Perl and should not break anything. Nevertheless, you can fix it by running chmod 0755 /usr/bin/procmail or better reinstalling it with yum reinstall procmail command.

it may be but no /usr/bin/procmail-wrapper !

You can grab it from here:

http://software.virtualmin.com/vm/6/gpl/rhel/7/x86_64/procmail-wrapper-1.0-1.vm.x86_64.rpm

.. however, I would rather checked that /etc/yum.repos.d/virtualmin.repo file exists and configured correctly, like:

[virtualmin]
name=RHEL/CentOS $releasever - $basearch - Virtualmin
baseurl=http://software.virtualmin.com/vm/6/gpl/centos/$releasever/$basearch/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin-6
gpgcheck=1

[virtualmin-universal]
name=Virtualmin Distribution Neutral Packages
baseurl=http://software.virtualmin.com/vm/6/gpl/universal/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin-6
gpgcheck=1

.. and then run yum install procmail-wrapper.

I would recommend installing Virtualmin with official install script.

[rj elleray]

Ilia/Jamie

done most of the above and will await it arising again..

will close in 5 days if it doesn't re-occur.

thanks
D

ps for those who only use the virtualmin module (as I have done for over a decade), not the full enchilda virtualmin install from scratch, as opposed to adding the virtualmin module to websmin

you won't get httpd updates flagged if you use this...
I didn't find the gpg key for the second section ...

[virtualmin]
name=RHEL/CentOS $releasever - $basearch - Virtualmin
baseurl=http://software.virtualmin.com/vm/6/gpl/centos/$releasever/$basearch/
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin-6
gpgcheck=1

[virtualmin-universal]
name=Virtualmin Distribution Neutral Packages
baseurl=http://software.virtualmin.com/vm/6/gpl/universal/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin-6
gpgcheck=0

[Ilia]

you won't get httpd updates flagged if you use this...

We have a custom httpd builds for CentOS 6/7 (not 8). You can exclude httpd from being installed from Virtualmin repo and stay on mainstream version with:

exclude=httpd

I didn't find the gpg key for the second section

https://software.virtualmin.com/vm/6/gpl/centos/7/x86_64/virtualmin-release-latest.noarch.rpm

[rj elleray]

tks for the key for the second bit, and the other (for other people) ?

well I live and learn YUM repos settings after decades.. but I'm not a linux expert in any fashion, just a practitioner.

thanks

also needs exclude=httpd-tools so exclude=httpd,httpd-tools
or perhaps instead exclude-httpd* ????

[Ilia]

Yes, go with:

exclude=httpd*

[rj elleray]

that showed no httpd updates from webmin :-)
Clearing package caches ..
.. done
Re-fetching available packages ..
.. found 0 possible updates
thanks

at the moment not seeing any procmail log errors but will review on Monday :-)
so flag as closed in the interim