Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 48088 - amavisd-new wants to write to /tmp
Summary: amavisd-new wants to write to /tmp
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Antivirus Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-04-16 16:50 UTC by Stephen Tallowitz
Modified: 2004-05-03 20:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephen Tallowitz 2004-04-16 16:50:02 UTC 
I installed amavisd-new lately (emerge amavisd-new). I then configured it to work with exim4 (no problem), but when sending a few message all those messages got stuck in the amavis "queue" (/var/run/amavis/tmp in my configuration) and the error output in syslog was:
Apr 17 00:43:44 [amavis] (10244-01) TROUBLE in check_mail: mime_decode-1 FAILED: MIME::Parser: can't open tmpfile: Invalid argument
Apr 17 00:43:44 [amavis] (10244-01) PRESERVING EVIDENCE in /var/run/amavis/tmp/amavis-20040417T004344-10244

After fixing some settings in /etc/amavisd.conf and still having the same error messages I ran an "strace" on the process and it was clear why this error appeared:
open("/tmp/PerlIO_gE1dLe", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = -1 EACCES (Permission denied)

I have tried playing around with many settings in /etc/amavisd.conf, but to no avail. Am I just missing out on some obvious settings? At the moment the only (insecure) workaround for me is to set the permissions on /tmp to 777.

Reproducible: Always
Steps to Reproduce:
1. Install amavisd-new
2. Configure exim v4 according to http://www.ijs.si/software/amavisd/README.exim_v4
3. Send an email to exim
Actual Results:  
Email gets stuck in amavis "queue"

Expected Results:  
Process the email normally

Portage 2.0.50-r6 (default-x86-2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.6.5)
=================================================================
System uname: 2.6.5 i686 Pentium III (Katmai)
Gentoo Base System version 1.4.3.13
Autoconf: sys-devel/autoconf-2.58-r1
Automake: sys-devel/automake-1.8.3
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo
http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/
ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/
rsync://linux.rz.ruhr-uni-bochum.de/gentoo/
http://ftp.uni-erlangen.de/pub/mirrors/gentoo
ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo
rsync://ftp.join.uni-muenster.de/gentoo/
ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo
http://mirror.switch.ch/ftp/mirror/gentoo/ ftp://mirror.switch.ch/mirror/gentoo/
ftp://ftp.solnet.ch/mirror/Gentoo
http://www.mirror.ac.uk/sites/www.ibiblio.org/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="apm avi berkdb crypt cups encode foomaticdb gdbm gif gpm gtk2 imlib jpeg
libg++ libwww mad mikmod mmx motif mpeg mysql ncurses nls oggvorbis pam pdflib
perl png python quicktime readline sdl slang spell sse ssh ssl svga tcpd
truetype x86 xml2 xmms xv zlib"
Comment 1 Max Kalika (RETIRED) gentoo-dev 2004-04-24 11:58:53 UTC 
Is /tmp writable by all? (mode 1777)
Comment 2 Stephen Tallowitz 2004-04-27 12:02:31 UTC 
The point I'm trying to make is that I've done a standard installation of gentoo and /tmp was not set to 777 before. I've now changed the mode of /tmp to 777 as a temporary workaround (see my first entry). I'm worried that setting /tmp to 777 is slightly insecure.
Is it possible to tell perl where to put it's temporary files for a script? If so, one could then use the variable $TEMPBASE set in amavisd.conf as the temporary directory for all perl related tmp-files of amavisd. Only the user amavisd could then access those temporary files instead of letting any user on the system access the temporary files, because they're in /tmp with permissions 777.
Comment 3 Max Kalika (RETIRED) gentoo-dev 2004-04-27 12:28:33 UTC 
not 777 ... 1777. the 1 is crucial for security as it sets the sticky bit.
Comment 4 Stephen Tallowitz 2004-05-01 02:03:50 UTC 
I've now set the permissions to 1777. I didn't know about the "sticky bit", which is the answer to my security-related worries.
Still there's this small question if 1777 is the default mode of the /tmp directory in a standard gentoo installation (as it didn't seem to be in my case).
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-05-03 20:47:04 UTC 
yes 1777 is the default mode of /tmp you should have from your stage[123] tarball.