topic Re: sendmail toolkit in Operating System - HP-UX

sendmail toolkit

Beth Weller — Tue, 18 Mar 2003 19:44:19 GMT

I turned sendmail off because there was a vonerablility awhile back and I never turned it back on because I didn't use it. Now I have a program that uses sendmail and dies when it can't send mail. I can not get sendmail to start.

# /sbin/init.d/sendmail start
/etc/mail/sendmail.cf: line 662: fileclass: cannot open /etc/mail/sendmail.cw: W
orld writable directory
WARNING: Group writable directory /var
451 /etc/mail/sendmail.cf: line 662: fileclass: cannot open /etc/mail/sendmail.c
w: World writable directory
# ls -ld /etc/mail
dr-xr-xr-x 2 bin bin 1024 Mar 18 12:19 /etc/mail
# ls -la /etc/mail/sendmail.c*
-r--r--r-- 1 bin bin 86837 May 30 2001 /etc/mail/sendmail.cf
-rw-rw-rw- 1 bin bin 710 Feb 20 2002 /etc/mail/sendmail.cw
#

I played with chmod for a while with no results.

Re: sendmail toolkit

someone_4 — Tue, 18 Mar 2003 19:55:14 GMT

Hi beth first of all I suggest patching up your sendmail for the latest Vulnerability.
Here is the link

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xdd549c196a4bd71190080090279cd0f9,00.html

use sendmail -bs to see what version you are running.

If you are running 8.8.3 you will have to upgrade your sendmail to 8.11.1
From:
http://www.software.hp.com/ISS_products_list.html

And then apply the patch.
From there go to /usr/newconfig/etc/mail/cf/cf/

and run
./gen_cf
you can choose the default sendmail by choosing option 2.

That will create a sendmail.cf.gen ..
move that to /etc/mail/sendmail.cf

and you should be able to start sendmail.

Richard

Re: sendmail toolkit

Shannon Petry — Tue, 18 Mar 2003 19:56:42 GMT

The errors are very specific, and should be corrected by following the error returned by trying to start up sendmail.

First,

WARNING: Group writeable directory /var

% chmod 555 /var

Next,

451 /etc/mail/sendmail.cf line 662: fileclass: cannot open /etc/mail/sendmail.cw:World writable directory

% chmod 555 /etc/mail

Next, your permissions on /etc/mail/sendmail.cw will also cause an error.

% chmod 444 /etc/mail/sendmail.cw

Obviously, someone has made modifications to this system which will have grave security issues.

Default permissions on both /var and /etc/mail are 555, and are now both set to 777. If these two directories were changed to world writable, then Im sure that more was changed as well.

If this system is NOT behind a firewall and will NOT be sending mail anywhere outside of the local network, then feel free to use it by fixing the errors in the above method.

However, if this system will connect anywhere of the lan, I would recommend you re-install the OS and install a Bastion tool or Bastile kit to reduce security risks.

It will literally take a malicous person minutes to gain root access on a system where permissions are open on critical files and directories. Of course they have to find you and gain access. That being said I would not want to gamble that they will take their time in finding you.

Sincerely,
Shannon Petry

Re: sendmail toolkit

someone_4 — Tue, 18 Mar 2003 19:57:34 GMT

oh .. Here are my premissions for the directions you have in question ..

/> ll -d /var
dr-xr-xr-x 21 bin bin 1024 Feb 10 2001 /var
/> ll -d /etc
dr-xr-xr-x 27 bin bin 7168 Mar 18 02:29 /etc
/> cd /etc/
/etc> ll -d /etc/mail
dr-xr-xr-x 3 bin bin 1024 Mar 17 23:58 /etc/mail
/etc>
/etc> cd mail
/etc/mail> ll sendmail*
-r-------- 1 root sys 94269 Dec 18 15:57 sendmail.cf
-r-------- 1 root sys 94270 Dec 17 12:23 sendmail.cf.look
-rw-rw-rw- 1 root sys 81 Mar 12 2002 sendmail.cw
-rw------- 1 root sys 81 Mar 12 2002 sendmail.cw.1
-rw-r--r-- 1 root mail 34 Mar 17 23:58 sendmail.pid
/etc/mail>

Richard

Re: sendmail toolkit

Shannon Petry — Tue, 18 Mar 2003 20:08:29 GMT

Richard,

My guess is that you gave permissions to be helpfull, however it may be counter productive in this case.

If critical directories like /var and /etc/mail have had permissions opened, then you nor I can have any idea what else has been modified.

Have you ever been had by a hacker before? I have, back in my early Linux days. (RH 6.1, but the flaw was in all Linux versions of wu_ftpd).

It's not fun, and caused alot more damage than me just re-installing an OS. It cost credibility for my company, credibility for myself, days of data recovery and security tuning of other systems to ensure that they were not tampered with, and months of worry that it would happen again.

On the plus side, I learned alot about forensics, and security. But I dont recommend to anyone that they be forced to have the same crash courses I did.

Sincerely,
Shannon

Re: sendmail toolkit

Beth Weller — Wed, 19 Mar 2003 13:53:40 GMT

RESOLVED!

Thank all of you for your quick response.

Playing with permissions is very detrimental to my users. Yes I am behind a firewall but I will research because you can never be too secure.

I pounded out the sendmail.fw and the alias lines in sendmail.cw. Then sendmail started. I am going to get the upgrade that will hopefully fix it the right way.

As for the toolkit problem it was because I didn't have my environment set up correctly (ORA_CLENT_LIB or ORACLE_TERM)

I am going to install the sendmail patch you mentioned.

Re: sendmail toolkit

someone_4 — Wed, 19 Mar 2003 23:03:16 GMT

hey Shannon,
I hope you are still reading this post.

Can you tell me more about what happened to you and your hacker?
And I agree about permissions .. I have had problems with that in the past and it is not good. Good thing it was a test box.

~Richard