Bounce.cgi and Postfix

[scitools]

Hi,

Our mail server uses Postfix.  But when I test bouncing, I get this back:

<lmp-bounce@scitools.com>: Command died with status 1:
    "/virtual/scitools.com/ListMail/cgi/bounce.cgi". Command output: local:
    fatal: execvp /web/scitools.com/ListMail/cgi/bounce.cgi: No such file
    or directory

Now, I know that that path exists. I can paste it out of this message into a more command and see the file:

more /web/scitools.com/ListMail/cgi/bounce.cgi

works.

And I know the mod is "0755".

Is there some magic to making ListMail work with Postfix that I'm not aware of?  I notice the help says it only supports Sendmail and Qmail.  Am I just out of luck?

I've searched the forums and found nothing on this.

Thanks,

Ken

[scitools]

I figured this out.  It had to do with Postfix not liking #!/usr/bin/perl at the top of the script.

I'm a bit disappointed by the slow support response. Or lack of response.

[dl1217]

I'm a bit disappointed by the slow support response. Or lack of response.

i agree... response times appear to be long but its also the holidays so who knows ......  :?:

[DW]

Sorry about the delay - remember this is 100% free support - for high-priority hands-on assistance please order Tech Support.  I'm glad you were able to get the problem sorted out!  I would have suggested that your site could have been running in a 'chroot' environment and the mailer might not have been able to reach the file.

Sometimes bash or sh shells will not like the shebang (#!/usr/bin/perl) line at the top of the script if the file contains DOS line breaks instead of Linux ones.  Try using a text editor that can save Linux "bare LF" line feeds.

Please let me know if I can be of further assistance!

Regards

[funston]

Hi Dean and Merry Christmas,

I have a similiar problem, but I don't think shebang has anything to do with it. My shebang is correct and error log doesn't complain about that. Actually, I don't understand how a cgi script could run without shebang.

However, when I send a email to signup to list 1 it bounces with with the following message:
status=bounced (Command died with status 1: "/home/useralias/public_html/cgi-bin/signup-list1.cgi"

It looks like the .forward file, located in the useralias directory, with the above pipe in it can't send the email message to the cgi-bin or perhaps when it gets there perl can't parse the email message.

At any rate when I use the command setenforce 0 everything works just great. FYI I have previously set the correct context label recursively for the cgi-bin so signup-list1.cgi will execute under selinux, and chmod 755.

Is there anything I can do to get everything working without using the command setenforce 0.

I've been hacked so many times this year I don't want to turn off the security enhanced linux, i.e. selinux. Perhaps I need to change a policy file?

Any suggestions would be greatly appreciated.  Thank your very much for  all your help!

[DW]

Greetings,

Do you have the same problem setting up the bounce.cgi script?

Are you using the pipe character before the path to the .cgi script? ie, in your /etc/aliases or /etc/postfix/aliases (or /etc/postfix/virtual - sadly I'm not a postfix expert yet )

Code: [Select]

bounce@example.com: "|/home/useralias/public_html/cgi-bin/signup-list1.cgi"
You might want to try adding /usr/bin/perl, as follows:

Code: [Select]

bounce@example.com: "|/usr/bin/perl /home/useralias/public_html/cgi-bin/signup-list1.cgi"
Do you know if your server supports a .forward.postfix file similar to DreamHost so we might use procmail instead of aliases? (see here).

My suggestions likely won't help but maybe you've figured it out by now or have some new ideas.  Please let me know if you still can't get it and/or have a new error message.

Regards, DW

[funston]

Greetings,

Thank you for you prompt and helpful remarks.

I will try using your examples in the .forward file, however as I mentioned just as soon as I turn off selinux everything works like a charm.

I changed some context labels and tried different directories now I get the following error:

Permission denied: exec of '/home/domain.net/public_html/cgi-bin/support4u/signup-list1.cgi' failed
[Thu Dec 21 16:13:23 2006] [error] Premature end of script headers: signup-list1.cgi

Remember, as soon as I turn off selinux, ie setenforce=0, everything works just fine.

This is a permission problem with security enhanced linux. Postfix works fine with .forward but it looks like I may have to create sort of a throw away domain just so I can use the cgi-bin exclusively for ListMail, since I feel compelled to continue using selinux.

Right now it looks like nested or subdirctories in the cgi-bin are no longer permitted with selinux, i.e. only stuff in the /cgi-bin/ not /cgi-bin/support4u/, unless of course you change the ScriptAlias specifically in the Apache <VirtualHost directives.

I have created a ScriptAlias for the useralias directory in Apache configuration, but so far selinux still complains, perhaps because there is no DNS assciated with it. Apache doesn't complain about the change in configuration so something may be right.

At any rate I will let you know if I find a work around for selinux and using ListMail. It's a tough nut to crack, but thats what I need. Hacked twice from Brazil this year.

Merry Christmas and thank you very much for your response. I can't believe that a few actually complain about response times. I would wait for days to get expert help, especially for free! Thanks again

Kind Regards,
Frank Eckdall
PD & FYI:
I use "chcon -h -t system_u:object_r:httpd_sys_script_exec_t -R cgi-bin" to set the context label for cgi-bin and its scripts.

[funston]

Hi Dean,

I lament to tell you I have failed trying to get signup-list1.cgi to execute successfully with selinux turned on, even though I have changed the extended attribute or context label to system_u:object_r:httpd_sys_script_exec_t for the cgi script. I have also used chmod 755 and 777

I used your suggestion and included the path to perl inside the .forward file and got the following error message:
Diagnostic-Code: X-Postfix; Command died with status 13: " /usr/bin/perl
    /home/domain.net/public_html/cgi-bin/signup-list1.cgi". Command output:
    Can't open perl script
    "/home/domain.net/public_html/cgi-bin/signup-list1.cgi": Permission denied

All of the php seems to be working just fine. Would it be possible to use a php script to parse and send the email information to signup.php, instead of signup-list1.cgi?

Please let me know if you or someone else can potentially figure this out because keeping selinux turned on is a must after so many attacks.

Tanks beforehand,
Frank Eckdall
P.D. I'm using Fedora Core 4 downgraded  form php 5 to php4, essentially the same thing as Red Hat Enterprise Linux 4 upgrade 3.

[DW]

Hi Frank,

Thanks for your kind comment and for forwarding so many details.  I have a good understanding of Linux systems but little experience with selinux and postfix, which makes for some difficult troubleshooting.  Perhaps I can help by pointing out something obvious:

Command output:
Can't open perl script
"/home/domain.net/public_html/cgi-bin/signup-list1.cgi": Permission denied

For the most part I manage Plesk/qmail servers.  On these servers in order for the mailer to be able to reach CGI scripts in the users' cgi-bin folder, the cgi-bin folder must be chmod +x to be accessible by the mailer or a similar Permission denied error happens.  You could try making sure that all parent folders to your cgi-bin folder are +x to be sure all users (particularly the mail-forwarding user) can browse to it.

What is the error with the new signup-list1.cgi location and without the /usr/bin/perl command-line prefix?  Do you get the same "Permission denied" message?

All of the php seems to be working just fine. Would it be possible to use a php script to parse and send the email information to signup.php, instead of signup-list1.cgi?

No, at this time ListMail's signup-by-email feature can only be set up using email forwarding/aliases - a mailbox that is checked by PHP script is currently not supported.

Regards

[funston]

Merry Christmas Dean!

I have used chmod 755 and 777 on the signup-list1.cgi script plus chmod 755 and 777 on the cgi-bin. I think that's what you are asking me to do.

Also, I removed the /usr/bin/perl from inside the ".forward" file leaving the following "| /home/domain.net/public_html/cgi-bin/signup-list1.cgi" inside the .forward file.

A space between the pipe and the path doesn't seem to make any difference,i.e. "| /path/to/signup-list1.cgi" or "|/path/to/signup-list1.cgi" both work when selinux is turned off. Is a space between the pipe symbol and the path incorrect?

Removal of the /usr/bin/perl in forward file returns the following error message:

Command died with status 1: "
    /home/domain.net/public_html/cgi-bin/signup-list1.cgi"

The error_log says the following:

local[3965]: fatal: execvp /home/domain.net/public_html/cgi-bin/signup-list1.cgi: Permission denied
postfix/smtpd[3962]: disconnect from
postfix/local[3964]: 5428E4FD: to=<support@domain.net>, relay=local, delay=1, status=bounced (Command died with status 1: " /home/domain.net/public_html/cgi-bin/signup-list1.cgi")

The message log reveals the following message:

kernel: audit(1166996009.315:18): avc:  denied  { getattr } for  pid=3962 comm="smtpd" name="/" dev=hda1 ino=2 scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:boot_t tclass=dir

kernel: audit(1166996009.315:19): avc:  denied  { getattr } for  pid=3962 comm="smtpd" name="/" dev=hda2 ino=2 scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:home_root_t tclass=dir

kernel: audit(1166996009.387:20): avc:  denied  { search } for  pid=3965 comm="local" name="domain.net" dev=hda2 ino=1505 scontext=system_u:system_r:postfix_local_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir

I think that the audit daemon in the message log reveals what's wrong,i.e. getattr for pid denied instead of granted. However, I have the correct extended attributes applied to the cgi script and the cgi-bin, ie chcon system_u:object_r:httpd_sys_script_exec_t -R cgi-bin

When I turn off selinux using setenforce=0 everything works, i.e. signup is successful and get a welcome message.

Do you know anyone who could help me with this selinux policy attribute permission problem? I am willing to pay someone to help me with this. All of the attacks have wasted precious years of hard work and the black hats will take me out of the ball game sooner or later again if I turn selinux off.

Kind regards,
Frank Eckdall
P.D. I should add that I can run a simple test.cgi from the browser that reveals the message "Success!", even with selinux turned on. I hope that helps. Here is the code for the test.cgi that works with security enhanced linux turned on. Using http://domain.net/cgi-bin/test.cgi
#!/usr/bin/perl

# CGI Script "test.cgi"

print qq(
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html">
<title>Linux Home Networking</title>
</head>
<body>

Success!

</body>
</html>

[scitools]

You might want to try adding /usr/bin/perl, as follows:

Code: [Select]

bounce@example.com: "|/usr/bin/perl /home/useralias/public_html/cgi-bin/signup-list1.cgi"
Do you know if your server supports a .forward.postfix file similar to DreamHost so we might use procmail instead of aliases? (see here).

I had tried that first, but with no joy.  Instead I now have two scripts for each signup. The first simply cats standard output through the second script.  Apparently, Postfix on our system didn't like #!/usr/bin/perl as a shell.

Ken N.

[DW]

Greetings,

I have used chmod 755 and 777 on the signup-list1.cgi script plus chmod 755 and 777 on the cgi-bin. I think that's what you are asking me to do.

The permissions should be 755 at most, I believe.  I remember something about CGI scripts not being executable with chmod 777, but that may be an apache restriction only relevant when browsing to the script.

I removed the /usr/bin/perl from inside the ".forward" file leaving the following "| /home/domain.net/public_html/cgi-bin/signup-list1.cgi" inside the .forward file.

From the information available this file may require double-quotes to surround the commandline.  Also, make sure there is not a space between the pipe character and the path to the CGI script.

Code: [Select]

"|/home/domain.net/public_html/cgi-bin/signup-list1.cgi"

A space between the pipe and the path doesn't seem to make any difference,i.e. "| /path/to/signup-list1.cgi" or "|/path/to/signup-list1.cgi" both work when selinux is turned off. Is a space between the pipe symbol and the path incorrect?

I am not 100% sure but as above it may be incorrect to have a space.  What you report indicates it may not matter, however.

local[3965]: fatal: execvp /home/domain.net/public_html/cgi-bin/signup-list1.cgi: Permission denied

Lets Google this, "fatal: execvp ".  Interesting results: #1 The second Q&A indicates the Postfix configuration may need to be updated to "allow execution" of either a specific program or in general.  #2 This question highlights one of my first suggestions where all parent folders of /path/to/the/signup-list1.cgi (ie. /path and /path/to and /path/to/the should all be executable for all) should be able to be reached by the mailer-daemon user.  Link #3 is very interesting and includes specific details about selinux - this one may be the gold mine.

Reading the rest of your reply I'm reassured you have extensive knowledge with configuring and troubleshooting Linux.  You may have already covered everything mentioned in the links I suggested...  I'm still digging... Have you seen anything like this?  Perhaps you can and need to modify the selinux rules.

Regards, DW

[funston]

Hi Ken,

Thanks for you imput. What system are you using? Fedora Core, Debian,
CentOS, SUSE, Ubuntu? With selinux or without selinux?

My system Fedora Core 4 , with php downgrade, doeen't like the file called .forward.postfix although I am using postfix. Everything works beautifully using just .forward, as long as selinux is turned off.

I have to admit I don't understand how you fixed your problem but it sounds very creative.

My problem, from looking at the message log and the audit daemon log, is a extended attribute problem or incorrect context label. That is to say either the cgi script signup-list1.cgi has a incorrect context label or .forward has a incorrect context label. I feel sure that I have a applied the correct context label to the cgi script signup-list1.cgi which is done running the following command: chcon system_u:object_r:httpd_sys_script_exec_t -R cgi-bin

So, that only leaves the .forward file without the correct context label or extended attribute.

Kind Regards,
Frank Eckdall
P.D. To find out your current context label just run ls -al --context

[DW]

This is a little bit over my head! I'm hoping for some luck with a solution soon.

[scitools]

Frank,

Here is signup-list1a:
----------------
#/bin/sh

cat | /usr/bin/perl /mywebroot/ListMail/cgi/signup-list1.cgi

-----------------------

It simply calls the script as provided by ListMail.

In my aliases file I have:

signup-list1:   |/mywebroot/ListMail/cgi/signup-list1a.cgi


Now, it may be that somewhere in Postfix or SELLinux (which we run as well) that I can authorize PERL to be a valid shell for e-mail or whatever restriction is hitting but won't bother to inform me of, but  since this got me past it, and we don't have very many lists (so doubling the scripts isn't too bad), I was happy to move on.

Ken N.