retroactively prophetic spam 2: bastille day

Posted by bbinkovitz on 2006.10.31 @ 14:41

Filed under:

From: French Impossible <tsvytkoxaj @projectdelivery.com>                                                                                                                                                        
Subject: ar Etail Invades Real [more...]
"Warum gabst du uns die tiefen Blicke" Translated

Posted by bbinkovitz on 2006.10.31 @ 14:36

Filed under:

I searched for this in English and couldn’t find it with a Google once-over. So I decided to translate Warum gabst du uns die tiefen Blicke myself (with the help of leo.org). This translation is a bit creative, especially with the punctuation. But I think Goethe would understand.

Why give us insight?
by Johann Wolfgang von Goethe, translated from the German by me.

Why give us the ability
to see consciously our destiny:
our love, our earthly happiness,
and to blissfully fancy
that we can ignore our foreboding? [more...]
there's no place like 10.1.1.200

Posted by bbinkovitz on 2006.10.21 @ 11:06

Filed under:

Dear, sweet, patient, virtuous reader.

In your innocence, you may not know how much Fedora Core 6, theoretically only days from the final release version, could possibly suck.

Your tender mind may not be able to imagine the bizarre fatal errors that crashed anaconda (Fedora’s installer) in graphical mode every freaking time we tried to set up the network preferences.

And your unspoiled eyes may never have seen the likes of the errors we got attempting to use the yum repository even after the ostensibly successful installation of Fedora Core 6 in text mode.

But you must try, little children, to wrap your minds around the sheer nameless horror we experienced when we decided, after nearly 10 straight hours of attempting to set up Fedora Core 6, that a total reinstall with Fedora Core 5 was the only way out of the bottomless abyss of night into which we had fallen. [more...]

midnight in the garden of softpixel servers

Posted by bbinkovitz on 2006.10.21 @ 10:50

Filed under:

[bbinkovitz@kipu ~]$ fin leikata leikata: clip, cut, shear, slice
clam readme

Posted by bbinkovitz on 2006.10.21 @ 08:27

Filed under:

To create individual clamd-instance take the following files and
modify/copy them in the suggested way:

clamd.conf:
  * set LogFile, PidFile, LocalSocket and User to suitable values
  * place this file into /etc/clamd.d with an unique service-name;
    e.g. as /etc/clamd.d/<SERVICE>.conf

  To make logfile rotation work properly, the LogFile should be
  writable for the assigned User. Recommended way to reach this, is
  to:
  * make it owned by the User's *group*
  * assign at least 0620 (u+rw,g+w) permissions

  A suitable command might be
  | # touch <logfile>
  | # chgrp <user> <logfile>
  | # chmod 0620   <logfile>

  NEVER use 'clamav' as the user since he can modify the database.
  This is the user who is running the application; e.g. for mimedefang
  (http://www.roaringpenguin.com/mimedefang), the user might be
  'defang'.Theoretically, distinct users could be used, but it must be
  made sure that the application-user can write into the socket-file,
  and that the clamd-user can access the files asked by the
  application to be checked.


clamd.logrotate:
  * set the correct value for the logfile
  * place it into /etc/logrotate.d

clamd.sysconfig:
  * set the name of the config-file and the local socket
  * copy it to /etc/sysconfig/clamd.<SERVICE>

clamd.init:
  * set the service-name
  * place it into /etc/init.d/ with an unique name and activate it
    (e.g. with /sbin/chkconfig clamd.<SERVICE> on)

Additionally, a symlink must be set to clamd in a way like
  | # ln -s clamd /usr/sbin/clamd.<SERVICE>
and the directory for the socket file must be created (see 'LocalSocket'
in clamd.conf)
  | # mkdir -p /var/run/clamd.<SERVICE>


This directory must be writable by the 'User' chosen in the config-file.



[Disclaimer:
 this file and the script/configfiles are not part of the official
 clamav package.

 Please send complaints and comments to
 mailto:enrico.scholz@informatik.tu-chemnitz.de!]
/var/log/maillog qmail-scanner error

Posted by bbinkovitz on 2006.10.21 @ 08:22

Filed under:

We were getting this series of errors when running the qmail-scanner test script (/downloads/qmailrocks/qmail-scanner-1.25/contrib/test_installation.sh -doit):

spamd[18368]: spamd: connection from localhost.localdomain [127.0.0.1] at port 51721 
spamd[18368]: spamd: setuid to qscand succeeded 
spamd[18368]: spamd: creating default_prefs: /home/qscand/.spamassassin/user_prefs 
spamd[18368]: config: cannot write to /home/qscand/.spamassassin/user_prefs: Permission denied 
spamd[18368]: spamd: failed to create readable default_prefs: /home/qscand/.spamassassin/user_prefs 
spamd[18368]: spamd: checking message <20061020172304.21308.qmail@leikata.softpixel.com> for qscand:509 
spamd[18368]: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/auto-whitelist.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/auto-whitelist.lock: Permission denied 
spamd[18368]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/auto-whitelist.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/auto-whitelist.lock: Permission denied 
spamd[18368]: bayes: locker: safe_lock: cannot create tmp lockfile /home/qscand/.spamassassin/bayes.lock.leikata.softpixel.com.18368 for /home/qscand/.spamassassin/bayes.lock: Permission denied 
spamd[18368]: spamd: clean message (-0.0/5.0) for qscand:509 in 0.0 seconds, 327 bytes. 
spamd[18368]: spamd: result: . 0 - NO_RECEIVED,NO_RELAYS scantime=0.0, size=327,user=qscand,uid=509, required_score=5.0,rhost=localhost.localdomain, raddr=127.0.0.1, rport=51721,mid=< 20061020172304.21308.qmail@leikata.softpixel.com>, autolearn=failed 
spamd[18366]: prefork: child states: II 
qmail-scanner[21309]: Clear:RC:1(127.0.0.1):SA:0(0.0/5.0): 0.068512 327 <> postmaster@softpixel.com Qmail-Scanner_test_(1/4):_inoffensive_message <20061020172304.21308.qmail@leikata.softpixel.com> 1161364984.21311-0.leikata:68 orig-leikata116136498477521309:327 
X-Antivirus-MYDOMAIN-1.25-st-qms: [leikata116136498577521320] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 

I had to manually create the .spamassassin directory for user spamd:

# cd /home/qscand
# mkdir .spamassassin
# chown qscand:qscand .spamassassin/
# chmod 700 .spamassassin/

This solved the first few errors.

We still got the qmail-scanner error, however:

spamd[21615]: spamd: connection from localhost.localdomain [127.0.0.1] at port 52795 
spamd[21615]: spamd: checking message <20061020174801.21726.qmail@leikata.softpixel.com> for root:510 
spamd[21615]: spamd: clean message (-0.0/5.0) for root:510 in 0.1 seconds, 327 bytes. 
spamd[21615]: spamd: result: . 0 - NO_RECEIVED,NO_RELAYS scantime=0.1,size=327,user=root,uid=510, required_score=5.0, rhost=localhost.localdomain, raddr=127.0.0.1,rport=52795, mid=< 20061020174801.21726.qmail@leikata.softpixel.com>, autolearn=ham 
spamd[21612]: prefork: child states: II 
qmail-scanner[21727]: Clear:RC:1(127.0.0.1):SA:0(0.0/5.0): 0.105559 327 <> postmaster@softpixel.com Qmail-Scanner_test_(1/4):_inoffensive_message < 20061020174801.21726.qmail@leikata.softpixel.com> orig-leikata116136648177521727:327 1161366481.21729-0.leikata:68 
X-Antivirus-MYDOMAIN-1.25-st-qms: [leikata116136648177521738] clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 512/2 

By turning on debugging in qmail-scanner.pl, I determined that this was a permissions issue: qmail-scanner was running clamd as user qscand, but user qscand didn’t have privileges to see the files qmail-scanner wanted it to scan.

Making qmail-scanner run as root by disabling the setuid line in /etc/clamd.conf…

# Run as a selected user (clamd must be started by root).
# Default: disabled
#User qscand

…causes it to work (and the qmail-scanner test script to execute successfully), but we really shouldn’t be doing this.

Instead we need to make qmail-scanner write the files to scan with appropriate permissions.

qmail setup, 2006.10.20

Posted by bbinkovitz on 2006.10.21 @ 08:06

Filed under:

Here’s the path I took to install http://www.qmailrocks.org/ on fedora core 5 x86_64 running on an Athlon 64.

  • pre-install
    • yum install php-imap
    • yum install php-mysql
    • cpan Digest::SHA1
    • cpan Digest::HMAC
    • cpan Net::DNS
    • cpan Time::HiRes
    • cpan HTML::Tagset
    • cpan HTML::Parser
  • downloaded, compiled, etc. according to the qmailrocks redhat howto with the following exceptions:
    • skipped installing the autoresponder — we don’t want any autoresponder functionality.
    • installed vpopmail WITH mysql integration.
    • mysql integration failed with some compilation errors. It looks like this is a 64-bit compatibility issue — it seems to be trying to link against 32-bit libraries and the ld line is failing. I don’t have time to troubleshoot this now.
    • went back and installed autoresponder because it was required for another install. Sigh.
    • skipped vqadmin because it gave us inscrutable compile errors and wouldn’t install.
  • tested SMTP with no problems
  • Post-install add-ons
    • Clam Antivirus
      • Clam is not installing properly due to dependency conflicts. Upon further investigation, certain perl modules were missing. ran:
        • cpan Time::HiRes – for some reason this did an install when i ran it this time, although earlier it had said it was UTD.
        • cpan The Pod::Usage
        • cpan Parse::Syslog
        • cpan Statistics::Distributions
      • Clam is now not able to install because the qmailrocks RPMs won’t work on the 64-bit processor, so i’m yumming them.
        • yum install perl-suidperl
        • yum install clamav clamav-milter clamav-server clamav-update
      • ClamReadMe
        • [root@leikata etc]# mv /etc/clamd.conf /etc/clamd.d/softpixel.conf
        • [root@leikata etc]# ln -s /etc/clamd.d/softpixel.conf /etc/clamd.conf
        • replaced all “<SERVICE>” tags with “softpixel” (also removing brackets) in the clamd.conf file.
        • [root@leikata template]# mv clamd.logrotate /etc/logrotate.d
        • replaced all “<SERVICE>” tags with “softpixel” (also removing brackets) in the clamd.logrotate
        • [root@leikata clamd.d]# mkdir /var/log/clamav/
        • [root@leikata clamd.d]# touch /var/log/clamav/clamd.softpixel
        • [root@leikata clamd.d]# chgrp qscand /var/log/clamav/clamd.softpixel
        • [root@leikata clamd.d]# chmod 0620 /var/log/clamav/clamd.softpixel
      • Setting the updater:
        • [root@leikata clamav]# touch /var/log/clamav/clam-update.log
        • [root@leikata clamav]# chmod 775 /var/log/clamav/clam-update.log
        • [root@leikata clamav]# chown qscand:qscand /var/log/clamav/clam-update.log
        • [root@leikata log]# chown qscand:qscand -R /var/lib/clamav
        • [root@leikata log]# /usr/bin/freshclam -l /var/log/clamav/clam-update.log
        • it updated.
    • SpamAssasin
    • Qmail Scanner
      • [root@leikata qlogtools-3.1]# vi /usr/local/qmailanalog/bin/zfailures <– replaced the “sort +2” pipe with “sort -n -r -k 2” — the version of sort included with fedora doesn’t support the “+2” syntax.
      • [root@leikata qlogtools-3.1]# vi /usr/local/qmailanalog/bin/zdeferrals <– replaced the “sort +2” pipe with “sort -n -r -k 2”

After this, we discovered clamd wasn’t starting properly at boot-time. SELinux was bitching:

kernel: audit(1161390036.976:4): avc: denied { search } for pid=2356 comm="clamd.softpixel" scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir kernel: audit(1161390036.976:5): avc: denied { search } for pid=2356 comm="clamd.softpixel" name="sys" dev=proc ino=4026531867 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir kernel: audit(1161390037.268:6): avc: denied { append } for pid=2356 comm="clamd.softpixel" name="clamd.softpixel" dev=dm-0 ino=2851961 scontext=system_u:system_r:clamd_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file kernel: audit(1161390037.272:7): avc: denied { sys_tty_config } for pid=2356 comm="clamd.softpixel" capability=26 scontext=system_u:system_r:clamd_t:s0 tcontext=system_u:system_r:clamd_t:s0 tclass=capability

Clamd started happily when we disabled SELinux protection for it:

  • in system-config-securitylevel, under SELinux / Modify SELinux Policy, I checked:
    • Other / clamscan_disable_trans
    • SELinux Service Protection / Disable SELinux protection for clamd daemon

Of course, I first tried to create a new policy allowing exactly what clamd was needing (which would be way preferable to disabling SELinux), but I got the following error…

# audit2allow -M local -l -i aud [root@leikata ~]# semodule -i local.pp libsepol.permission_copy_callback: Module local depends on permission search in class file, not satisfied libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!

… and haven’t been able to figure this out yet.

file under: retroactively prophetic spam

Posted by bbinkovitz on 2006.10.08 @ 20:54

Filed under:

<

pre>Darius Trevino
<kgovernor@gearwest.com> to me 7:31 am (7 hours ago)

will more often be forced to conceive and work on his ideas in changed the way in which society views and values visual art. talk on how important it is!” [more...]