Shared User IDs
By chance, I happened to learn of shared user IDs on our main mail server: user A owned user B's mail file. Despite what appeared to be a proper PIKT fix for this, the problem was persisting.
Here was the relevant section from the MailFileChkNotice script:
rule // mail file owned by another account if $access =~ "^-" // not link or dir && $owner ne $name ... [more && conditions omitted for brevity] =outputmail "$name file owned by $owner" =execwait "=chown $name =maildir/$name" endif
An 'ls -ld' of user B's mail file showed the problem:
rootmoscow> ls -ld /var/mail/groucho -rw-rw---- 1 harpo mail 141792 Jun 7 17:28 /var/mail/groucho
"harpo" owned the "groucho" mail file. I confirmed that PIKT was exec'ing the appropriate corrective step:
Jun 19 03:51:12 INFO: in dostatement(), MailFileChkNotice, exec wait "/usr/bin/chown groucho /var/mail/groucho 2>> /pikt/var/log/Notice.log; /usr/bin/rm -f /pikt/etc/Notice.exec.lock 2>/dev/null"
But this was having no apparent effect. After a minute or two, I discovered the problem:
rootmoscow> ypmatch groucho passwd groucho:aM0x7me/mkG6s:48004:40:Groucho Marx:/home/groucho:/local/bin/bash rootmoscow> ypmatch harpo passwd harpo:fFYP0sbxy6dsY:48004:40:Harpo Marx:/home/harpo:/local/bin/bash
These two users share the same uid in NIS! Hmm, I thought I had a PIKT script and rule to check for this, but I guess not. I'll put that on my PIKT todo list for sure.
To catch this sort of thing in the future, I revised the MailFileChkNotice script as follows:
rule // mail file owned by another account if $access =~ "^-" // not link or dir && $owner ne $name ... [more && conditions omitted for brevity] if #split($p, $command("=ypmatch $name passwd 2>&1"), ":") == 7 if $p eq $name =outputmail "$name file owned by $owner" =execwait "=chown $name =maildir/$name" do #split($ll, $command("=ll =maildir/$name 2>&1"), " ") if $ll ne $name output mail "bad file ownership: $inlin" endif else output mail "bad file ownership: $inlin" endif else output mail "bad file ownership: $inlin" endif endif
Before we attempt the chown, we do a ypmatch on this mail file name. If the ypmatch command gives "bad" results, we send alert mail about "bad file ownership". If the account (first) field of the "good" ypmatch results eq's the mail file name, we proceed with the chown, else here too we send alert mail about "bad file ownership".
=outputmail "$name file owned by $owner"
only sends mail if the 'verbose' #define is set to TRUE in defines.cfg. (For us, it's not.)
=execwait "=chown $name =maildir/$name"
only does the actual chown if the 'doexec' #define is set to TRUE in defines.cfg. (For us, it is.)
After the chown exec, we recheck the 'ls -ld' for this mail file, then split the output to the $ll array. If the third field of the 'ls -l' output, the $ll, still doesn't match the mail file's name, the chown didn't work, and we still have a problem, so we output mail about that.
To test these modifications, I registered the following in alerts.cfg:
#if moscow Test timing =piktnever mailcmd "=mailx -s 'PIKT Alert on =pikthostname: Test' pikt-test" alarms MailFileChkNotice #endif
On the master machine, vienna, I installed this test script on the main mailserver, moscow, with the command:
rootvienna> piktc -iv +D verbose -D doexec +A Test +H moscow
Next, on moscow, I ran the script at the command line:
rootmoscow> script /tmp/Test.out > /pikt/bin/pikt +A Test [output follows] > exit
A 'vi /tmp/Test.out' confirmed that I was now catching this heretofore undetected error.
Back on the master machine, I then deleted all traces of the Test alert on moscow:
rootvienna> piktc -tv +A Test +H moscow processing moscow... disabling alert(s)... Test disabled deleting file(s)... Test.alt deleted deleting file(s)... Test.hst deleted deleting file(s)... Test.log deleted
And finally, I installed the Notice alert scripts, including the revised MailFileChkNotice script, on all mailserver machines:
rootvienna> piktc -iv +A Notice +H mailserver [output omitted for brevity]
(Sorry for going over some of the same ground again, but I revisit the
testing procedures from time to time for the benefit of new pikt-users
For more examples, see Developer's Notes.