Chrooted Xmail Howto, Run XMail without root privilegs ...
| hschneider |
Posted: May 30 2003, 05:04 PM
|
No - I'm not an answering script ...
Group: Admin
Posts: 6631
Member No.: 195
Joined: 19-June 02
|
| QUOTE |
A small how-to for running chrooted XMail
First, about chrooting.
1.1) Try build and run XMail without any chrooting from /var/MailRoot as distributed.
1.2) Create some directory for chrooting, e.g. /chroot/xmail and move /var/MailRoot to /chroot/xmail
1.3) Copy all libs which XMail is dependent on to /chroot/xmail/lib. ldd shows these libraries, and the following command will filter the ldd output by sed to pass via xarg to copy command:
# cd /chroot/xmail; mkdir lib; ldd var/MailRoot/bin/XMail |\
sed -n 's/[[:blank:]][^>]\+>[[:blank:]]\([[:graph:]]\+\).*/\1 lib\/ /p'\
|xargs -n 2 cp -u
1.4) Create /chroot/xmail/dev/null device node identical to one in /dev (using the same |sed|xargs piping trick):
# mkdir /chroot/xmail/dev; ls -Ll /dev/null |\
awk '{print sub(",","",$5) " " $6}' |\
xargs mknod /chroot/xmail/dev/null c
1.5) You may run XMail by command
# chroot /chroot/xmail /var/MailRoot/bin/XMail -Ms /var/MailRoot
Next, about running from unprivileged user.
2.1) Create xmail group and xmail user:
# groupadd xmail
# useradd -g xmail -d /nonexistant -s /bin/false xmail
2.2) Change owner of all /chroot/xmail hierarchy to xmail:xmail
# chown -R xmail.xmail /chroot/xmail/var/MailRoot
2.3) Insert into nat iptable rules to redirect packets from POP3, SMTP and FINGER ports to unprivileged ports you bind XMail to:
# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j REDIRECT --to-ports 29110
# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-ports 29025
# /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 79 -j REDIRECT --to-ports 29079
2.4) Now you can run XMail in unprivileged mode:
# su - xmail -c "/chroot/xmail/var/MailRoot/bin/XMail -Ms /chroot/xmail/var/MailRoot -Pp 29110 -Sp 29025 -Fp 29079"
The last - about running unprivileged and chrooted.
3.1) If you are lucky user of Linux which has start-stop-daemon with ability to run processes chrooted and from another users, you can run XMail by this start-stop-daemon.
This daemon need some preparation, /chroot/xmail/var/run directory to store XMail.pid and chown to xmail /chroot/xmail/var and /chroot/xmail/dev:
# mkdir /chroot/xmail/var/run
# chown -R xmail.xmail /chroot/xmail/var /chroot/xmail/dev
And after this everything ready to start XMail:
# start-stop-daemon --start -c xmail -r /chroot/xmail \
--startas /var/MailRoot/bin/XMail --pidfile=/var/run/XMail.pid -- \
"-Ms /chroot/xmail/var/MailRoot -Pp 29110 -Sp 29025 -Fp 29079"
I tested it in Gentoo Linux. I think it will work in Debian, AltLinux. For Gentoo Linux you may take XMail ebuild here.
3.2) If you Linux is SUSE, you should give a try to use compartment, http://www.suse.de/~marc/compartment.html.
3.3) Else you should ask Davide Libenzi ;-) to add to setgid() and setuid() in XMail server, after binding to POP3/SMTP/FINGER ports. So all these tricks will obsolete.
Debugging
If something goes wrong and you do not see XMail in ps aux list and no /chroot/xmail/var/run/XMail.pid file created, you can use strace to debug chrooted XMail.
4.1) To prepare, first copy strace to /chroot/xmail:
# cp `which strace` /chroot/xmail
4.2) Copy libs it needs to /chroot/xmail/lib:
# cd /chroot/xmail; ldd strace |\
sed -n 's/[[:blank:]][^>]\+>[[:blank:]]\([[:graph:]]\+\).*/\1 lib\/ /p'\
|xargs -n 2 cp -u
4.3) And then run XMail by strace with -o option to save result log to file and with -f option to trace forked processes:
# start-stop-daemon --start -c xmail -r /chroot/xmail \
--startas /strace --pidfile=/var/run/XMail.pid -- \
-o /strace.log -f /var/MailRoot/bin/XMail \
"-Ms /chroot/xmail/var/MailRoot -Pp 29110 -Sp 29025 -Fp 29079"
4.5) Log file /chroot/xmail/strace.log may contain information which will help you understand the problems, as it helped me.
Links
XMail mail server: http://XmailServer.org
Gentoo Linux: http://Gentoo.org
XMail E-build for Gentoo and instructions on it's usage: http://spectr.org/sergey/XMail_for_Gentoo.html
Comprehensive manual about chrooting daemons and system processes: "http://www.networkdweebs.com/chroot.html"
"Spectr" magazine in Russian, granted me place to publish this material: http://Spectr.org
|
--------------------
|
|
|
Help
Search
Members
Calendar
