1

Topic: protecting configuration and log files

i found that many configuration file of iredmail applications is world-readable. The configuration files contains username and password of mysql and lapd so someone who has access to your server (it could be web hosting user or attacker who compromised some unpatched web applications) can compromise backend of iredmail (mysql or lapd).

I also found that iredapd log files are world readable. if logging level set to debug, it logs LDIF information of recipient that includes password hash of the user.

Here is a list of configuration files that need to be protected and what i did to fix it.

/etc/dovecot-ldap.conf
Fix:
chmod 600 /etc/dovecot-ldap.conf

/etc/httpd/conf.d/awstats.conf
Fix:           
chmod 600 /etc/httpd/conf.d/awstats.conf

/etc/postfix/ldap_catch_all_maps.cf
/etc/postfix/ldap_virtual_mailbox_maps.cf
/etc/postfix/ldap_recipient_bcc_maps_user.cf
/etc/postfix/ldap_virtual_mailbox_domains.cf
/etc/postfix/ldap_recipient_bcc_maps_domain.cf
/etc/postfix/ldap_sender_bcc_maps_domain.cf
/etc/postfix/ldap_virtual_group_maps.cf
/etc/postfix/ldap_transport_maps_domain.cf
/etc/postfix/ldap_transport_maps_user.cf
/etc/postfix/ldap_sender_bcc_maps_user.cf
/etc/postfix/ldap_relay_domains.cf
/etc/postfix/ldap_sender_login_maps.cf
/etc/postfix/ldap_virtual_alias_maps.cf

Fix:
1.    chgrp postfix /etc/postfix/ldap*.cf
2.    chmod 640 /etc/postfix/ldap*.cf

/etc/postfix/mysql_catch_all_maps.cf
/etc/postfix/mysql_virtual_mailbox_maps.cf
/etc/postfix/mysql_recipient_bcc_maps_user.cf
/etc/postfix/mysql_virtual_mailbox_domains.cf
/etc/postfix/mysql_recipient_bcc_maps_domain.cf
/etc/postfix/mysql_sender_bcc_maps_domain.cf
/etc/postfix/mysql_virtual_group_maps.cf
/etc/postfix/mysql_transport_maps_domain.cf
/etc/postfix/mysql_transport_maps_user.cf
/etc/postfix/mysql_sender_bcc_maps_user.cf
/etc/postfix/mysql_relay_domains.cf
/etc/postfix/mysql_sender_login_maps.cf
/etc/postfix/mysql_virtual_alias_maps.cf

Fix:
1.    chgrp postfix /etc/postfix/mysql*.cf
2.    chmod 640 /etc/postfix/mysql*.cf

/opt/iRedAPD-x.y.z/etc/iredapd.ini
/opt/iRedAPD-x.y.z/etc/iredapd-rr.ini
Fix:
chmod 600 /opt/iRedAPD-x.y.z/etc/iredapd*ini

/var/www/phpMyAdmin-a.bc.de-all-languages/config.inc.php
Fix:
Actually phpmyadmin doesn't need any user/password information. But iredmail set blowfish_secret variable with password of mysql/ldap. So we don't need to chmod this file, just change blowfish_secret variable to anything, long and secret (you don't need to remember this value).

$cfg['blowfish_secret'] = "anyveryveryveryloooongtopsecrettext";

/var/www/iredadmin/settings.ini
Fix: Since iredadmin run inside apache, so it runs as apache user and we can't chmod it to 600. The solution i choose is using WSGI daemon mode to make iredadmin run as non-apache user and then we can chown and chmod settings.ini to 600 mode.
this sort 2mins video show how to do it: http://www.youtube.com/watch?v=o285XYJTGQw

/var/www/roundcubemail-x.y.z/config/main.inc.php
/var/www/roundcubemail-x.y.z/config/db.inc.php
Fix: this is similar problem with iredadmin. The solution i choose is  using suPHP to make roundcubemail run as non-apache user and then chown and chmod to 600 mode. this short videos show how to do it: http://www.youtube.com/watch?v=V2dq0SMAb0k

After configuration file, here is the log files that need to be protected:

/var/log/iredapd.log
/var/log/iredapd-rr.log

To fix it, chmoding those files is not solving the problem. So i add one line:
    os.umask(077)
to/opt/iredapd/src/iredapd.py and /opt/iredapd/src/iredapd-rr.py file after: "def main():" and before "# Chroot in current directory".

then i remove those log files and restart iredapd and iredapd-rr to force creation of new log file with 600 mode permission.

i know that changing source files is not recommended, but it just a quick oneliner fix.

2

Re: protecting configuration and log files

A big "Thank you" for your remind.

This's critical for hosting service, i will try to solve it later, release a standalone shell script to change file permissions. Of course merged into iRedMail in next release.

3

Re: protecting configuration and log files

After configuration file, here is the log files that need to be protected:
/var/log/iredapd.log
/var/log/iredapd-rr.log
To fix it, chmoding those files is not solving the problem. So i add one line:
    os.umask(077)
to/opt/iredapd/src/iredapd.py and /opt/iredapd/src/iredapd-rr.py file after: "def main():" and before "# Chroot in current directory".
then i remove those log files and restart iredapd and iredapd-rr to force creation of new log file with 600 mode permission.

Fixed in iRedAPD -trunk version and installation guide. Thanks again.

4

Re: protecting configuration and log files

Fix:
1.    chgrp postfix /etc/postfix/ldap*.cf
2.    chmod 640 /etc/postfix/ldap*.cf

Are you sure these code work as expected?

This doesn't work on RHEL/CentOS 5 for me.

5

Re: protecting configuration and log files

ZhangHuangbin wrote:
Fix:
1.    chgrp postfix /etc/postfix/ldap*.cf
2.    chmod 640 /etc/postfix/ldap*.cf

Are you sure these code work as expected?

This doesn't work on RHEL/CentOS 5 for me.

yes, it works on my box, i use Centos 5.5 (from your ISO file: iRedOS 0.6.0). What error that you got on your box?

6

Re: protecting configuration and log files

Starting postfix will get 'Permission denied' error.

7

Re: protecting configuration and log files

ZhangHuangbin wrote:

Starting postfix will get 'Permission denied' error.

if postfix run as postfix user, it should be able to read those files, may be seLinux blocking it. try disabling selinux.

8

Re: protecting configuration and log files

Currently, iRedMail can't work well with SELinux. So it's not SELinux issue.

9

Re: protecting configuration and log files

Finally, fixed the issue about 'Permission denied' error: incorrect file permission of /etc/postfix/postfix-script.

I will test them all and merge into iRedMail. Thanks again. smile

10

Re: protecting configuration and log files

ZhangHuangbin wrote:

Finally, fixed the issue about 'Permission denied' error: incorrect file permission of /etc/postfix/postfix-script.

I will test them all and merge into iRedMail. Thanks again. smile

That's great Zhang, you'r welcome smile

11

Re: protecting configuration and log files

/var/www/phpMyAdmin-a.bc.de-all-languages/config.inc.php
Fix:
Actually phpmyadmin doesn't need any user/password information. But iredmail set blowfish_secret variable with password of mysql/ldap. So we don't need to chmod this file, just change blowfish_secret variable to anything, long and secret (you don't need to remember this value).
$cfg['blowfish_secret'] = "anyveryveryveryloooongtopsecrettext";

To be clear, blowfish_secret is a RANDOM string, NOT password of MYSQL/LDAP.

You can verify this in iRedMail-x.y.z/functions/phpmyadmin.sh:

    export COOKIE_STRING="$(${RANDOM_STRING})"
    perl -pi -e 's#(.*blowfish_secret.*= )(.*)#${1}"$ENV{'COOKIE_STRING'}"; //${2}#' ${PHPMYADMIN_CONFIG_FILE}

Since iRedMail supports so many linux distributions, i need some time to test your contribution and merge them. Please be patient.

Thanks again. smile

12

Re: protecting configuration and log files

ZhangHuangbin wrote:

/var/www/phpMyAdmin-a.bc.de-all-languages/config.inc.php
Fix:
Actually phpmyadmin doesn't need any user/password information. But iredmail set blowfish_secret variable with password of mysql/ldap. So we don't need to chmod this file, just change blowfish_secret variable to anything, long and secret (you don't need to remember this value).
$cfg['blowfish_secret'] = "anyveryveryveryloooongtopsecrettext";

To be clear, blowfish_secret is a RANDOM string, NOT password of MYSQL/LDAP.

You can verify this in iRedMail-x.y.z/functions/phpmyadmin.sh:

    export COOKIE_STRING="$(${RANDOM_STRING})"
    perl -pi -e 's#(.*blowfish_secret.*= )(.*)#${1}"$ENV{'COOKIE_STRING'}"; //${2}#' ${PHPMYADMIN_CONFIG_FILE}

RANDOM_STRING is global variable that is generated only once at iRedMail/conf/global:

# Genrate a random string.
# Usage:
#   str="$(${RANDOM_STRING})"
export RANDOM_STRING="echo $RANDOM$RANDOM$RANDOM$RANDOM$RANDOM$RANDOM"

RANDOM_STRING variable is used and re-used everywhere: as blowfish_secret, as roundcube db password, as iredadmin db password, as policyd db password, as ldap password.

This makes blowfish_secret identics with password of mysql and ldap. To be secure, we can't use the same password for everything, it must be unique.

13

Re: protecting configuration and log files

i have fix for this same-password-everywhere problem.

1. Replace double quote to single quote in RANDOM_STRING (it will avoid variable-expansion of $RANDOM):
export RANDOM_STRING='echo $RANDOM$RANDOM$RANDOM$RANDOM$RANDOM$RANDOM'

2. Add eval in every code that use RANDOM_STRING, for example:
export COOKIE_STRING="$(eval ${RANDOM_STRING})"

14

Re: protecting configuration and log files

Well, i found the problem.

This issue only exist in iRedOS.

In iRedMail, it's:

# conf/global
export RANDOM_STRING='eval </dev/urandom tr -dc A-Za-z0-9| (head -c $1 > /dev/null 2>&1 || head -c 30)'

This method doesn't work in iRedOS, because we will use it after system installation completed, but before first rebooting.
Seems this only exist in iRedOS-0.6.0, old versions already have 'eval'.

15

Re: protecting configuration and log files

ZhangHuangbin wrote:

Well, i found the problem.

This issue only exist in iRedOS.

In iRedMail, it's:

# conf/global
export RANDOM_STRING='eval </dev/urandom tr -dc A-Za-z0-9| (head -c $1 > /dev/null 2>&1 || head -c 30)'

This method doesn't work in iRedOS, because we will use it after system installation completed, but before first rebooting.
Seems this only exist in iRedOS-0.6.0, old versions already have 'eval'.

wow, i just know that iRedMail/conf/global in google code repository is very different with what i got on my box (iredos-0.6.0).

i don't understand why that method doesn't work in iRedOS...is it because the use of urandom/tr/head? then, whats the plan? stick to $RANDOM stuff for iRedOS?

16

Re: protecting configuration and log files

Yes, because of urandom.

You can simple change RANOM_STRING to:

export RANDOM_STRING='eval echo $RANDOM$RANDOM$RANDOM$RANDOM$RANDOM$RANDOM'

This is the only one difference, you can verify it with the kickstart file in iRedOS (/iredmail.cfg). And i believe it exists in iRedOS-0.6.0 only.

17

Re: protecting configuration and log files

ZhangHuangbin wrote:

Yes, because of urandom.

You can simple change RANOM_STRING to:

export RANDOM_STRING='eval echo $RANDOM$RANDOM$RANDOM$RANDOM$RANDOM$RANDOM'

This is the only one difference, you can verify it with the kickstart file in iRedOS (/iredmail.cfg). And i believe it exists in iRedOS-0.6.0 only.

Zhang, I am sure there is no need to be different for iRedOS-0.6.0. on the way RANDOM_STRING generated.

I just tested it and confirm that using /dev/urandom works perfectly on iRedOS-0.6.0. I modify iRedOS-0.6.0 ISO file, and change only conf/global file to use /dev/urandom for RANDOM_STRING variable. Then i fire up my vmware, and it installed perfectly. On that test box, i got nicer and unique password such as "Vd96oenWnuGUiVfFt8X1fayQIGcv1b" compare to identics and numeric only of original iRedOS-0.6.0.

what do you tink?

18

Re: protecting configuration and log files

I will test it later, thanks for your feedback. If it works, that would be great tongue

19

Re: protecting configuration and log files

Hi, rizkiwicaksono.

I'm testing the file permissions, current status:

chmod 600 /etc/dovecot-ldap.conf (RHEL OK)
chmod 600 /etc/httpd/conf.d/awstats.conf (RHEL OK)
chgrp postfix /etc/postfix/ldap*.cf I'm afraid that we don't need to chgrp. Default group is root.
chmod 640 /etc/postfix/ldap*.cf (RHEL OK)
chgrp postfix /etc/postfix/mysql*.cf I'm afraid that we don't need to chgrp
chmod 640 /etc/postfix/mysql*.cf (RHEL OK)

Still need to test on other distributions with different OS versions.

20

Re: protecting configuration and log files

ZhangHuangbin wrote:

Hi, rizkiwicaksono.

I'm testing the file permissions, current status:

chmod 600 /etc/dovecot-ldap.conf (RHEL OK)
chmod 600 /etc/httpd/conf.d/awstats.conf (RHEL OK)
chgrp postfix /etc/postfix/ldap*.cf I'm afraid that we don't need to chgrp. Default group is root.
chmod 640 /etc/postfix/ldap*.cf (RHEL OK)
chgrp postfix /etc/postfix/mysql*.cf I'm afraid that we don't need to chgrp
chmod 640 /etc/postfix/mysql*.cf (RHEL OK)

Still need to test on other distributions with different OS versions.

chgrp to postfix is necessary to be able to read those files.

This is what i got on iRedOS-0.6.0 after i chmod to 640 without chgrp to postfix:
Jul 22 11:18:53 mail postfix/proxymap[3156]: fatal: open /etc/postfix/ldap_relay_domains.cf: Permission denied

21

Re: protecting configuration and log files

It works here for me without chgrp, iRedOS-0.6.0, x86_64.

22

Re: protecting configuration and log files

Hi, rizkiwicaksono.

I released a hotfix tutorial to fix this issue:
http://www.iredmail.org/forum/topic1108 … words.html

Thanks very much for your contribution. smile

23

Re: protecting configuration and log files

P.S. i uploaded a new version of iRedOS-0.6.0 (x86_64), fixed the RANDOM_STRING issue.

24

Re: protecting configuration and log files

Great job Zhang smile

just to inform small typo error at iredapd.py and iredapd-rr.py, it should be version 1.3.3 not 1.4.0
__version__ = "1.4.0"

25

Re: protecting configuration and log files

sad i will fix it later. Thanks for your remind smile