Following up to the previous posts AIX RPMs: Introduction and AIX RPMs: aaa_base, logrotate and run_parts, here are four new AIX RPM packages. Two (scponly and sudosh2) are more security oriented, whereas the other two (postfix and tinycdb) belong to the mail infrastructure category.
postfix: Postfix is Wietse Venema's mail server that started life at IBM research as an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and secure. The outside has a definite Sendmail-ish flavor, but the inside is completely different.
To this date i have not been able to figure out why IBM is still shipping sendmail as the default MTA with its AIX operating system, when there is a much easier to handle replacement being actively developed whitin IBM.
This Postfix package is aimed to be a dropin replacement for the standard AIX sendmail MTA. This is accomplished by replacing the standard AIX commands /usr/sbin/sendmail, /usr/sbin/newaliases and /usr/sbin/mailq with symlinks to the commands provided by Postfix, e.g.:
$ ls -al /usr/sbin/sendmail* /usr/sbin/mailq* /usr/sbin/newaliases* lrwxrwxrwx 1 root system 23 Jun 28 21:05 /usr/sbin/mailq -> /opt/freeware/bin/mailq -r-sr-s--x 3 root system 1526060 Jun 28 21:05 /usr/sbin/mailq.AIX lrwxrwxrwx 1 root system 28 Jun 28 21:05 /usr/sbin/newaliases -> /opt/freeware/bin/newaliases -r-sr-s--x 3 root system 1526060 Jun 28 21:05 /usr/sbin/newaliases.AIX lrwxrwxrwx 1 root system 27 Jun 28 21:05 /usr/sbin/sendmail -> /opt/freeware/sbin/sendmail -r-sr-s--x 3 root system 1526060 Jun 28 21:05 /usr/sbin/sendmail.AIX
Unfortunately this rather crude change also means, that after every AIX update or iFix to the bos.net.tcp.client package those symlinks have to be recreated, e.g.:
$ ls -al /usr/sbin/sendmail* /usr/sbin/mailq* /usr/sbin/newaliases* -r-sr-s--x 3 root system 1525764 Aug 11 04:48 /usr/sbin/mailq -r-sr-s--x 3 root system 1495652 Mar 12 2010 /usr/sbin/mailq.AIX -r-sr-s--x 3 root system 1525764 Aug 11 04:48 /usr/sbin/newaliases -r-sr-s--x 3 root system 1495652 Mar 12 2010 /usr/sbin/newaliases.AIX -r-sr-s--x 3 root system 1525764 Aug 11 04:48 /usr/sbin/sendmail -r-sr-s--x 3 root system 1495652 Mar 12 2010 /usr/sbin/sendmail.AIX $ for FL in /usr/sbin/sendmail /usr/sbin/mailq /usr/sbin/newaliases; do mv ${FL} ${FL}.AIX; done $ ln -s /opt/freeware/bin/mailq /usr/sbin/mailq $ ln -s /opt/freeware/bin/newaliases /usr/sbin/newaliases $ ln -s /opt/freeware/sbin/sendmail /usr/sbin/sendmail $ ls -al /usr/sbin/sendmail* /usr/sbin/mailq* /usr/sbin/newaliases* lrwxrwxrwx 1 root system 23 Nov 22 16:23 /usr/sbin/mailq -> /opt/freeware/bin/mailq -r-sr-s--x 3 root system 1525764 Aug 11 04:48 /usr/sbin/mailq.AIX lrwxrwxrwx 1 root system 28 Nov 22 16:23 /usr/sbin/newaliases -> /opt/freeware/bin/newaliases -r-sr-s--x 3 root system 1525764 Aug 11 04:48 /usr/sbin/newaliases.AIX lrwxrwxrwx 1 root system 27 Nov 22 16:23 /usr/sbin/sendmail -> /opt/freeware/sbin/sendmail -r-sr-s--x 3 root system 1525764 Aug 11 04:48 /usr/sbin/sendmail.AIX
scponly: An alternative 'shell' (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution priviledges. Functionally, it is best described as a wrapper to the mostly trusted suite of SSH applications. scponly knows two modes of operation, a non-chroot'ed and a chroot'ed one. After installing the RPM the setup is a bit different for either mode:
non-chroot: Create a user for remote access to your usual standards, just give /opt/freeware/bin/scponly as a shell instead of the one you usually use:
$ mkuser id='9999' pgrp='staff' home='/home/scptest' gecos='Scponly Test User' shell='/opt/freeware/bin/scponly' scptest
chroot: Create a user for remote access to your usual standards, just give /opt/freeware/sbin/scponlyc as a shell instead of the one you usually use:
$ mkuser id='9999' pgrp='staff' home='/home/scptest' gecos='Scponly Test User (chroot)' shell='/opt/freeware/sbin/scponlyc' scptest
Execute the script /opt/freeware/libexec/scponly/setup_chroot.sh to setup the chroot environment:
$ lsuser scptest scptest id=9999 pgrp=staff groups=staff home=/home/scptest shell=/opt/freeware/sbin/scponlyc gecos=Scponly Test User (chroot) ... $ /opt/freeware/libexec/scponly/setup_chroot.sh -d /chroot -u scptest INFO: INFO: For incoming files create a directory somewhere within "/chroot" INFO: that is owned and writeable by the the user "scptest", e.g.: INFO: INFO: mkdir /chroot/incoming INFO: chown scptest:staff /chroot/incoming INFO: chmod 700 /chroot/incoming INFO: INFO: DO NOT CHANGE OWNER OR PERMISSIONS ON THE USUAL USER HOME DIRECTORY, e.g.: INFO: "/chroot/home/scptest"! THIS WILL BREAK THE SECURITY OF THE INFO: SSH CONFIGURATION STORED IN "/chroot/home/scptest/.ssh"! INFO: $ lsuser scptest scptest id=9999 pgrp=staff groups=staff home=/chroot//home/scptest shell=/opt/freeware/sbin/scponlyc gecos=Scponly Test User (chroot) ...
//) in the users home directory path is very important! With this marker, scponly determines to where the chroot() system call should be made. If there is no double slash (//) in the path of the users home directory, the chroot() system call fails. In this case the intended additional security of a chroot environment will not available!
For logging and debugging purposes, scponly uses syslog with the auth facility and the syslog priorities info or debug. Check your syslog configuration to make sure the logging of those facilities and priorities is set up according to your needs. With the file /opt/freeware/etc/scponly/debuglevel the debug log level of scponly can be raised. To enable logging of debug messages put the string “1” in the file. To disable logging of debug messages put the string “0” in the file.
sudosh2: sudosh is an auditing shell filter and can be used as a login shell. Sudosh records all keystrokes and output and can play back the session as just like a VCR. Sudosh2 is a continuation of the development of sudosh.
tinycdb: TinyCDB is a very fast and simple package for creating and reading constant data bases, a data structure introduced by Dan J. Bernstein in his cdb package. It is used for example by the postfix package to enable the use of the cdb: lookup table file type.