Andreas Büthe
2018-07-13 12:47:44 UTC
Hi everyone,
I want to implement a commercial av scanner into amavis scanning. For this purpose, a wrapper script has been written that contains a sudo call.
When I run the script as user 'amavis' from the commandline everything works fine. When it's run as a result of the av_scanners call, it fails with the following error message though:
run_av (Test Antivirus) FAILED - unexpected exit 1, output="sudo: unable to change to root gid: Operation not permitted\nsudo: unable to initialize policy plugin"
With an 'strace' on the sudo command itself, the error message is:
effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges
Confusingly, a 'Permission denied' occurs in this 'strace' on '/etc/sudo.conf' although the process should be root at this point.
The version used is 'amavisd-new 2.11.0-2el7' (CentOS 7 from epel) without chroot. I checked basics like the suid bit on /usr/bin/sudo, the filesystem / where /usr resides on is not mounted 'nosuid', SELinux is currently disabled for testing purposes, etc.
I somehow assume that my problem has to do with the read-only filesystem remounts in the amavis worker.
You'll find the necessary problem description below, I hope. Do you have an idea or need further information?
Best regards,
Andreas
---- configuration details ----
/etc/amavisd/amavisd.conf
[...]
@av_scanners = (
['Test Antivirus',
'/opt/antivirus/test.sh',
'-s {}',
qr/\bThreats found:\s+0\b/m,
qr/\bThreats found:\s+[1-9]\d*\b/m,
/./
],
);
[...]
---- positive result from shell ----
$ su - amavis -s /bin/bash
-bash-4.2$ /usr/bin/id
uid=508(amavis) gid=508(amavis) groups=508(amavis) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ sudo /usr/bin/id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
---- my test script ----
$ vi /opt/antivirus/test.sh
#! /bin/bash
/usr/bin/id > ~/id.txt
sudo /usr/bin/id >> ~/id.txt
ls -l /usr/bin/sudo /etc/sudoers /etc/sudo.conf > ~/sudo_perms.txt
findmnt -lo source,target,fstype,label,options,used > ~/findmnt.txt
strace -s 512 sudo id > ~/strace_id.txt 2>&1
---- results of the test script when run via run_av ----
$ cat ~/id.txt # second line missing, sudo not successful
uid=508(amavis) gid=508(amavis) groups=508(amavis) context=system_u:system_r:antivirus_t:s0
$ cat ~/sudo_perms.txt # suid bit is set, rest of permissions is centos-default as well
-rw-r-----. 1 root root 1786 Jun 26 20:07 /etc/sudo.conf
-r--r-----. 1 root root 4667 Jul 13 13:18 /etc/sudoers
---s--x--x. 1 root root 143248 Jun 27 20:03 /usr/bin/sudo
$ grep -E "SOURCE|^/dev" findmnt.txt # file is attached if you need further details
SOURCE TARGET FSTYPE LABEL OPTIONS USED
/dev/mapper/vg01-root / xfs rw,relatime,seclabel,attr2,inode64,noquota 6G
/dev/sda1 /boot xfs ro,relatime,seclabel,attr2,inode64,noquota 309.1M
/dev/mapper/vg02-srv /srv xfs rw,relatime,seclabel,attr2,inode64,noquota 650.6M
/dev/mapper/vg01-root[/tmp/systemd-private-d12bc474211b4beb8ef887951c75f901-amavisd.service-9PDyaf/tmp] /tmp xfs rw,relatime,seclabel,attr2,inode64,noquota 6G
/dev/mapper/vg01-root[/var/tmp/systemd-private-d12bc474211b4beb8ef887951c75f901-amavisd.service-IAPlVY/tmp] /var/tmp xfs rw,relatime,seclabel,attr2,inode64,noquota 6G
/dev/mapper/vg01-root[/etc] /etc xfs ro,relatime,seclabel,attr2,inode64,noquota 6G
$ grep -E "execve|EACCES|/usr/bin/sudo|write" strace_id.txt # file is attached if you need further details
execve("/usr/bin/sudo", ["sudo", "id"], [/* 13 vars */]) = 0
open("/etc/sudo.conf", O_RDONLY) = -1 EACCES (Permission denied)
access("/usr/bin/sudo", X_OK) = 0
stat("/usr/bin/sudo", {st_mode=S_IFREG|S_ISUID|0111, st_size=143248, ...}) = 0
write(2, "sudo", 4sudo) = 4
write(2, ": ", 2: ) = 2
write(2, "effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?", 133effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?) = 133
write(2, "\n", 1
I want to implement a commercial av scanner into amavis scanning. For this purpose, a wrapper script has been written that contains a sudo call.
When I run the script as user 'amavis' from the commandline everything works fine. When it's run as a result of the av_scanners call, it fails with the following error message though:
run_av (Test Antivirus) FAILED - unexpected exit 1, output="sudo: unable to change to root gid: Operation not permitted\nsudo: unable to initialize policy plugin"
With an 'strace' on the sudo command itself, the error message is:
effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges
Confusingly, a 'Permission denied' occurs in this 'strace' on '/etc/sudo.conf' although the process should be root at this point.
The version used is 'amavisd-new 2.11.0-2el7' (CentOS 7 from epel) without chroot. I checked basics like the suid bit on /usr/bin/sudo, the filesystem / where /usr resides on is not mounted 'nosuid', SELinux is currently disabled for testing purposes, etc.
I somehow assume that my problem has to do with the read-only filesystem remounts in the amavis worker.
You'll find the necessary problem description below, I hope. Do you have an idea or need further information?
Best regards,
Andreas
---- configuration details ----
/etc/amavisd/amavisd.conf
[...]
@av_scanners = (
['Test Antivirus',
'/opt/antivirus/test.sh',
'-s {}',
qr/\bThreats found:\s+0\b/m,
qr/\bThreats found:\s+[1-9]\d*\b/m,
/./
],
);
[...]
---- positive result from shell ----
$ su - amavis -s /bin/bash
-bash-4.2$ /usr/bin/id
uid=508(amavis) gid=508(amavis) groups=508(amavis) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ sudo /usr/bin/id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
---- my test script ----
$ vi /opt/antivirus/test.sh
#! /bin/bash
/usr/bin/id > ~/id.txt
sudo /usr/bin/id >> ~/id.txt
ls -l /usr/bin/sudo /etc/sudoers /etc/sudo.conf > ~/sudo_perms.txt
findmnt -lo source,target,fstype,label,options,used > ~/findmnt.txt
strace -s 512 sudo id > ~/strace_id.txt 2>&1
---- results of the test script when run via run_av ----
$ cat ~/id.txt # second line missing, sudo not successful
uid=508(amavis) gid=508(amavis) groups=508(amavis) context=system_u:system_r:antivirus_t:s0
$ cat ~/sudo_perms.txt # suid bit is set, rest of permissions is centos-default as well
-rw-r-----. 1 root root 1786 Jun 26 20:07 /etc/sudo.conf
-r--r-----. 1 root root 4667 Jul 13 13:18 /etc/sudoers
---s--x--x. 1 root root 143248 Jun 27 20:03 /usr/bin/sudo
$ grep -E "SOURCE|^/dev" findmnt.txt # file is attached if you need further details
SOURCE TARGET FSTYPE LABEL OPTIONS USED
/dev/mapper/vg01-root / xfs rw,relatime,seclabel,attr2,inode64,noquota 6G
/dev/sda1 /boot xfs ro,relatime,seclabel,attr2,inode64,noquota 309.1M
/dev/mapper/vg02-srv /srv xfs rw,relatime,seclabel,attr2,inode64,noquota 650.6M
/dev/mapper/vg01-root[/tmp/systemd-private-d12bc474211b4beb8ef887951c75f901-amavisd.service-9PDyaf/tmp] /tmp xfs rw,relatime,seclabel,attr2,inode64,noquota 6G
/dev/mapper/vg01-root[/var/tmp/systemd-private-d12bc474211b4beb8ef887951c75f901-amavisd.service-IAPlVY/tmp] /var/tmp xfs rw,relatime,seclabel,attr2,inode64,noquota 6G
/dev/mapper/vg01-root[/etc] /etc xfs ro,relatime,seclabel,attr2,inode64,noquota 6G
$ grep -E "execve|EACCES|/usr/bin/sudo|write" strace_id.txt # file is attached if you need further details
execve("/usr/bin/sudo", ["sudo", "id"], [/* 13 vars */]) = 0
open("/etc/sudo.conf", O_RDONLY) = -1 EACCES (Permission denied)
access("/usr/bin/sudo", X_OK) = 0
stat("/usr/bin/sudo", {st_mode=S_IFREG|S_ISUID|0111, st_size=143248, ...}) = 0
write(2, "sudo", 4sudo) = 4
write(2, ": ", 2: ) = 2
write(2, "effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?", 133effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?) = 133
write(2, "\n", 1