Closed TopicStart new topicStart Poll

> Chrooted Xmail Howto, Run XMail without root privilegs ...
hschneider
Posted: May 30 2003, 05:04 PM
Quote Post


No - I'm not an answering script ...
Group Icon

Group: Admin
Posts: 6631
Member No.: 195
Joined: 19-June 02



QUOTE

A small how-to for running chrooted XMail
First, about chrooting.
1.1) Try build and run XMail without any chrooting from /var/MailRoot as distributed.
1.2) Create some directory for chrooting, e.g. /chroot/xmail and move /var/MailRoot to /chroot/xmail
1.3) Copy all libs which XMail is dependent on to /chroot/xmail/lib. ldd shows these libraries, and the following command will filter the ldd output by sed to pass via xarg to copy command:
# cd /chroot/xmail; mkdir lib; ldd var/MailRoot/bin/XMail |\
  sed -n 's/[[:blank:]][^>]\+>[[:blank:]]\([[:graph:]]\+\).*/\1 lib\/ /p'\
  |xargs -n 2 cp -u
   
1.4) Create /chroot/xmail/dev/null device node identical to one in /dev (using the same |sed|xargs piping trick):
# mkdir /chroot/xmail/dev; ls -Ll /dev/null |\
  awk '{print sub(",","",$5) " " $6}' |\
  xargs mknod /chroot/xmail/dev/null c

1.5) You may run XMail by command
# chroot /chroot/xmail /var/MailRoot/bin/XMail -Ms /var/MailRoot

Next, about running from unprivileged user.
2.1) Create xmail group and xmail user:
# groupadd xmail
# useradd -g xmail -d /nonexistant -s /bin/false xmail
   
2.2) Change owner of all /chroot/xmail hierarchy to xmail:xmail
# chown -R xmail.xmail /chroot/xmail/var/MailRoot
   
2.3) Insert into nat iptable rules to redirect packets from POP3, SMTP and FINGER ports to unprivileged ports you bind XMail to:
# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j REDIRECT --to-ports 29110
# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-ports 29025
# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 79 -j REDIRECT --to-ports 29079
   
2.4) Now you can run XMail in unprivileged mode:
# su - xmail -c "/chroot/xmail/var/MailRoot/bin/XMail -Ms /chroot/xmail/var/MailRoot -Pp 29110 -Sp 29025 -Fp 29079"
   
The last - about running unprivileged and chrooted.
3.1) If you are lucky user of Linux which has start-stop-daemon with ability to run processes chrooted and from another users, you can run XMail by this start-stop-daemon.
This daemon need some preparation, /chroot/xmail/var/run directory to store XMail.pid and chown to xmail /chroot/xmail/var and /chroot/xmail/dev:
# mkdir /chroot/xmail/var/run
# chown -R xmail.xmail /chroot/xmail/var /chroot/xmail/dev

And after this everything ready to start XMail:
# start-stop-daemon --start -c xmail -r /chroot/xmail \
  --startas /var/MailRoot/bin/XMail --pidfile=/var/run/XMail.pid -- \
  "-Ms /chroot/xmail/var/MailRoot -Pp 29110 -Sp 29025 -Fp 29079"

I tested it in Gentoo Linux. I think it will work in Debian, AltLinux. For Gentoo Linux you may take XMail ebuild here.
3.2) If you Linux is SUSE, you should give a try to use compartment, http://www.suse.de/~marc/compartment.html.
3.3) Else you should ask Davide Libenzi ;-) to add to setgid() and setuid() in XMail server, after binding to POP3/SMTP/FINGER ports. So all these tricks will obsolete.
Debugging
If something goes wrong and you do not see XMail in ps aux list and no /chroot/xmail/var/run/XMail.pid file created, you can use strace to debug chrooted XMail.
4.1) To prepare, first copy strace to /chroot/xmail:
# cp `which strace` /chroot/xmail

4.2) Copy libs it needs to /chroot/xmail/lib:
# cd /chroot/xmail; ldd strace |\
  sed -n 's/[[:blank:]][^>]\+>[[:blank:]]\([[:graph:]]\+\).*/\1 lib\/ /p'\
  |xargs -n 2 cp -u

4.3) And then run XMail by strace with -o option to save result log to file and with -f option to trace forked processes:
# start-stop-daemon --start -c xmail -r /chroot/xmail \
  --startas /strace --pidfile=/var/run/XMail.pid -- \
  -o /strace.log -f /var/MailRoot/bin/XMail \
  "-Ms /chroot/xmail/var/MailRoot -Pp 29110 -Sp 29025 -Fp 29079"

4.5) Log file /chroot/xmail/strace.log may contain information which will help you understand the problems, as it helped me.

Links
XMail mail server: http://XmailServer.org
Gentoo Linux: http://Gentoo.org
XMail E-build for Gentoo and instructions on it's usage: http://spectr.org/sergey/XMail_for_Gentoo.html
Comprehensive manual about chrooting daemons and system processes: "http://www.networkdweebs.com/chroot.html"
"Spectr" magazine in Russian, granted me place to publish this material: http://Spectr.org



--------------------
Bye,
Harald


-- Download XMail Queue Manager 1.46 NOW: XMail Server Tools
-- Cross platform remote queue management!
-- Message analyzing on the fly!
-- Builtin diagnostics knowledge base!
-- Manages multiple mail queues!

Sponsored by
CD-Produktion und DVD-Produktion and Homestaging Saarland - Immobilien schneller verkaufen in der Region Saarland, Rheinland-Pfalz und Luxembourg
PMEmail PosterUsers Website
Top
hschneider
Posted: Mar 11 2004, 12:52 PM
Quote Post


No - I'm not an answering script ...
Group Icon

Group: Admin
Posts: 6631
Member No.: 195
Joined: 19-June 02



Also take care for this:

QUOTE

http://www.spectr.org/sergey/HowTo-Chrooted-XMail.html

works fine, but without /tmp dir in chroot it doesn't work wink.gif

so long, soenke


--------------------
Bye,
Harald


-- Download XMail Queue Manager 1.46 NOW: XMail Server Tools
-- Cross platform remote queue management!
-- Message analyzing on the fly!
-- Builtin diagnostics knowledge base!
-- Manages multiple mail queues!

Sponsored by
CD-Produktion und DVD-Produktion and Homestaging Saarland - Immobilien schneller verkaufen in der Region Saarland, Rheinland-Pfalz und Luxembourg
PMEmail PosterUsers Website
Top
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:
« Next Oldest | Documentation and Knowledge Base | Next Newest »

Closed TopicStart new topicStart Poll