Racker Hacker

Sticky bits help you take file permissions to the next level. Here’s an example of a situation where sticky bits help:

Let’s say you have a directory on a server called “share”. For this directory, you have 3 users: adam, bill, and carl. You are the administrator, so you want to create a directory where all three users can manage files in the share directory. That’s easily done: put all three users in the same group, set the permissions as 664, set the owner of the directory as the group that all three users are in, and you’re done.

Hold on - adam is going to be upset if bill or carl changes or removes adam’s files. How can you let all three users manage files in the same directory but not let them alter each other’s files? Sticky bits!

After a chmod 664, and a chown user:group to fix the group, the directory looks like this:

-rw-rw-r--   1 admin sharegroup    18367 Dec 30 22:05 shared

Now, run a chmod 1664 on the directory:

-rw-rw-r-t   1 admin sharegroup    18367 Dec 30 22:05 shared

What’s the t all about? That’s your sticky bit! Whenever adam creates a file, bill and carl can’t delete it, modify it, or rename it. They can read it all they want, but adam is the only one who can make the modifications because write priviliges are “stuck” to his user (even though the folder is writable to the group).

Okay, so why do you need sticky bits? This all sounds like fun and games for shared folders, but how can you use this in the real world? Well, think about your /tmp directory. Users write to the directory all the time whether they know it or not, but what if one user trashed another users temporary files? Or what if a user hosed out the whole directory? That’s where sticky bits can save the day. Always chmod 1777 your /tmp directory for good security on a shared temporary directory.

If you find yourself in the sticky situation where kill -9 still won’t kill a sendmail process, check the process list. If ps fax returns a “D” status code, you won’t be able to stop the process. It’s in an “uninterruptable sleep” state which cannot be killed.

What can you do to fix this? Check for file locking. Are files in the mail queue directory locked? Are the files in the mail queue mounted over NFS (by an idiotic administrator)? If so, the only fix is to set sendmail to not start on reboot, then reboot the box.

In the event that a Fedora/RHEL/CentOS box won’t perform the init (which comes right after the initial kernel load), don’t fret - it can be fixed. Make a note of the missing libraries or executables. Simply boot onto a livecd or rescuecd and chroot into your main installation. Once you’re chrooted, just forcefully install any RPM’s which might contain files that are missing when the init is loaded.

Forcing the installation of an RPM:

rpm -ivh –force filename.rpm

Listing the files that an installed RPM contains:

rpm -ql rpmname

Listing the files that an RPM file contains:

rpm -qpl filename.rpm

Finding the RPM that contains a certain file/executable:

rpm -qf /usr/bin/filename

Figuring out what might be wrong with files already installed from an RPM:

rpm -V rpmname

Add this to the virtual host configuration if PHPLive says it has no session.save_path:

php_admin_flag safe_mode off
php_admin_flag register_globals off

PHPLive cannot operate with safe_mode enabled.

Remember, if you raise MaxClients for an MPM in Apache, you must raise the ServerLimit directive, which is normally set to 256 on most servers.  The ServerLimit maximum is always obeyed, no matter what MaxClients says. For example, if MaxClients is set to 500 and ServerLimit is 256 (or it is unspecified), then Apache can only serve 256 clients at a time.

Important items to remember:

• Only add ServerLimit in the actual MPM configuration section itself.
• Increase the MaxClients/ServerLimit in a sane manner - make small increments and test.
• Keep in mind that 500 concurrent requests can use 75% or more of modern CPU’s and upwards of 1.5GB of RAM, depending on the content.

If you think you have a rooted RHEL box, you’ll want to run the usual rkhunter, chkrootkit, and you will want to inspect for rogue processes. However, if the rootkit hasn’t exposed its malfeasance yet, how do you know it’s there?

rpm -Va

RPM’s verify functionality can tell you what’s happened to files installed by an RPM since they were installed. Changes in permissions, file sizes, locations, and ownership can all be detected. Here’s some example output:

.M.......   /etc/cups
S.5....TC c /etc/cups/cupsd.conf
.......TC c /etc/cups/printers.conf
.M.......   /var/spool/cups/tmp
S.5....T. c /etc/sysconfig/system-config-securitylevel
S.5....T. c /etc/xml/catalog
S.5....T. c /usr/share/sgml/docbook/xmlcatalog
........C   /var/lib/scrollkeeper
S.?......   /usr/lib/libcurl.so.3.0.0

So what do the letters mean?

S   file Size differs
M   Mode differs (includes permissions and file type)
5   MD5 sum differs
D   Device major/minor number mismatch
L   readLink(2) path mismatch
U   User ownership differs
G   Group ownership differs
T   mTime differs
c   %config configuration file.
d   %doc documentation file.
g   %ghost file (i.e. the file contents are not included in the package payload).
l   %license license file.
r   %readme readme file.

Lots of MD5’s and ownerships will change from time to time, but watch out for any action in important executables, such as /bin/ls or /bin/passwd - if these have changed, you may be rooted.

So you have multiple users that need to read and write to certain files on the filesystem? This can be done with vsftpd or proftpd quite easily. Let’s say you have users called ann, bill and carl and they need to manage files in /var/www/html. Here’s the steps:

For vsftpd, change the umask for files created by FTP users. Open the vsftpd.conf file and edit the following:

     local_umask = 077     <-- old
     local_umask = 022     <-- new

For proftpd, change the umask for files created by FTP users. Open the proftpd.conf file and edit the following:

     Umask 022

This makes sure that new files are chmodded as 775 (full read/write for users/group, but only read for everyone else).

Next, create a new group. We will call ours “sharedweb”:

     groupadd sharedweb

Now, put the users into that group by adding them in /etc/group:

     sharedweb:*:##:ann,bill,carl

Modify the users so that their primary group is sharedweb. If you forget this step, when they make new FTP files, they will be owned by each user’s primary group (sometimes named the same as the user on some systems) and the permissions will be completeld hosed.

     usermod -g ann sharedweb
     usermod -g bill sharedweb
     usermod -g carl sharedweb

Restart vsftpd to pick up the new configuration and your users should be able upload, delete, and edit each other’s files.

If your server is spewing an invalid HELO, you could be blacklisted pretty quickly. The Spamhaus SBL-XBL list and CBL list work together to find servers announcing themselves improperly.

The common reasons why mail servers are blocked for bad HELO’s are:

Server is announcing itself as “localhost”.
Server is announcing itself as an IP address.
Server is announcing itself as a hostname that does not exist.

Are you unsure what your server’s announcing itself as? Try these:

Send an e-mail to helocheck@cbl.abuseat.org. You will get an immediate response with exactly what your HELO contains.

- OR -

Telnet to port 25 on your mailserver. Run telnet mail.yourdomain.com 25 and wait a few seconds. Your server’s HELO message should appear.

So your server is announcing itself as the wrong thing? Well, fix it!

Managing HELO with QMail
If /var/qmail/control/me exists, edit it so that it matches your reverse DNS record for your server’s primary IP address. If the file doesn’t exist, you can create the file and add the correct hostname to it, or adjust your hostname on your operating system. Try running hostname mail.yourdomain.com to fix things immediately, and edit the proper configuration files to correct your hostname at boot time.

Managing HELO with Postfix
The default value for Postfix’s HELO is the value of $myhostname. If that variable is defined in the main.cf, adjust it so that it matches the reverse DNS record of your server. If it isn’t defined in main.cf, then adjust the hostname on your operating system. Try running hostname mail.yourdomain.com to fix things immediately, and edit the proper configuration files to correct your hostname at boot time. Should neither of those methods suffice on your server, simply adjust the smtp_helo_name variable to match the reverse DNS record of your server. For example:

     smtp_helo_name = mail.yourdomain.com

Managing HELO with Sendmail
Adjust the hostname on your operating system. Try running hostname mail.yourdomain.com to fix things immediately, and edit the proper configuration files to correct your hostname at boot time.

Setting up Postfix to handle mail for a virtual domain and forward it to external mailboxes is pretty easy. Here’s an example for a few domains:

/etc/postfix/main.cf

     virtual_alias_domains = hash:/etc/postfix/mydomains
     virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/mydomains

     foo.com          OK
     foo1.com         OK
     foo2.com         OK

/etc/postfix/virtual

     frank@foo.com           frank@gmail.com
     jane@foo.com            jane@earthlink.net
     jim@foo1.com            jimmy@yahoo.com
     peter@foo2.com          pete@hotmail.com

Remember, each time you edit /etc/postfix/virtual, do the following:

postmap /etc/postfix/virtual /etc/postfix/mydomains
postfix reload