bityard Blog

// AIX RPMs: postfix, scponly, sudosh2 and tinycdb

Following up to the previous posts AIX RPMs: Introduction and AIX RPMs: aaa_base, logrotate and run_parts, here are four new AIX RPM packages. Two (scponly and sudosh2) are more security oriented, whereas the other two (postfix and tinycdb) belong to the mail infrastructure category.

  • postfix: Postfix is Wietse Venema's mail server that started life at IBM research as an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and secure. The outside has a definite Sendmail-ish flavor, but the inside is completely different.

    To this date i have not been able to figure out why IBM is still shipping sendmail as the default MTA with its AIX operating system, when there is a much easier to handle replacement being actively developed whitin IBM.

    This Postfix package is aimed to be a dropin replacement for the standard AIX sendmail MTA. This is accomplished by replacing the standard AIX commands /usr/sbin/sendmail, /usr/sbin/newaliases and /usr/sbin/mailq with symlinks to the commands provided by Postfix, e.g.:

    $ ls -al /usr/sbin/sendmail* /usr/sbin/mailq* /usr/sbin/newaliases*
    
    lrwxrwxrwx    1 root     system           23 Jun 28 21:05 /usr/sbin/mailq -> /opt/freeware/bin/mailq
    -r-sr-s--x    3 root     system      1526060 Jun 28 21:05 /usr/sbin/mailq.AIX
    lrwxrwxrwx    1 root     system           28 Jun 28 21:05 /usr/sbin/newaliases -> /opt/freeware/bin/newaliases
    -r-sr-s--x    3 root     system      1526060 Jun 28 21:05 /usr/sbin/newaliases.AIX
    lrwxrwxrwx    1 root     system           27 Jun 28 21:05 /usr/sbin/sendmail -> /opt/freeware/sbin/sendmail
    -r-sr-s--x    3 root     system      1526060 Jun 28 21:05 /usr/sbin/sendmail.AIX

    Unfortunately this rather crude change also means, that after every AIX update or iFix to the bos.net.tcp.client package those symlinks have to be recreated, e.g.:

    $  ls -al /usr/sbin/sendmail* /usr/sbin/mailq* /usr/sbin/newaliases*
    
    -r-sr-s--x    3 root     system      1525764 Aug 11 04:48 /usr/sbin/mailq
    -r-sr-s--x    3 root     system      1495652 Mar 12 2010  /usr/sbin/mailq.AIX
    -r-sr-s--x    3 root     system      1525764 Aug 11 04:48 /usr/sbin/newaliases
    -r-sr-s--x    3 root     system      1495652 Mar 12 2010  /usr/sbin/newaliases.AIX
    -r-sr-s--x    3 root     system      1525764 Aug 11 04:48 /usr/sbin/sendmail
    -r-sr-s--x    3 root     system      1495652 Mar 12 2010  /usr/sbin/sendmail.AIX
    
    $ for FL in /usr/sbin/sendmail /usr/sbin/mailq /usr/sbin/newaliases; do mv ${FL} ${FL}.AIX; done
    $ ln -s /opt/freeware/bin/mailq /usr/sbin/mailq
    $ ln -s /opt/freeware/bin/newaliases /usr/sbin/newaliases
    $ ln -s /opt/freeware/sbin/sendmail /usr/sbin/sendmail
    $ ls -al /usr/sbin/sendmail* /usr/sbin/mailq* /usr/sbin/newaliases*
    
    lrwxrwxrwx    1 root     system           23 Nov 22 16:23 /usr/sbin/mailq -> /opt/freeware/bin/mailq
    -r-sr-s--x    3 root     system      1525764 Aug 11 04:48 /usr/sbin/mailq.AIX
    lrwxrwxrwx    1 root     system           28 Nov 22 16:23 /usr/sbin/newaliases -> /opt/freeware/bin/newaliases
    -r-sr-s--x    3 root     system      1525764 Aug 11 04:48 /usr/sbin/newaliases.AIX
    lrwxrwxrwx    1 root     system           27 Nov 22 16:23 /usr/sbin/sendmail -> /opt/freeware/sbin/sendmail
    -r-sr-s--x    3 root     system      1525764 Aug 11 04:48 /usr/sbin/sendmail.AIX

    RPM packages

    Source RPM packages

  • scponly: An alternative 'shell' (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution priviledges. Functionally, it is best described as a wrapper to the mostly trusted suite of SSH applications. scponly knows two modes of operation, a non-chroot'ed and a chroot'ed one. After installing the RPM the setup is a bit different for either mode:

    • non-chroot: Create a user for remote access to your usual standards, just give /opt/freeware/bin/scponly as a shell instead of the one you usually use:

      $ mkuser id='9999' pgrp='staff' home='/home/scptest' gecos='Scponly Test User' shell='/opt/freeware/bin/scponly' scptest
    • chroot: Create a user for remote access to your usual standards, just give /opt/freeware/sbin/scponlyc as a shell instead of the one you usually use:

      $ mkuser id='9999' pgrp='staff' home='/home/scptest' gecos='Scponly Test User (chroot)' shell='/opt/freeware/sbin/scponlyc' scptest

      Execute the script /opt/freeware/libexec/scponly/setup_chroot.sh to setup the chroot environment:

      $ lsuser scptest
      scptest id=9999 pgrp=staff groups=staff home=/home/scptest shell=/opt/freeware/sbin/scponlyc gecos=Scponly Test User (chroot) ...
      
      $ /opt/freeware/libexec/scponly/setup_chroot.sh -d /chroot -u scptest
      INFO:
      INFO: For incoming files create a directory somewhere within "/chroot"
      INFO: that is owned and writeable by the the user "scptest", e.g.:
      INFO:
      INFO:   mkdir /chroot/incoming
      INFO:   chown scptest:staff /chroot/incoming
      INFO:   chmod 700 /chroot/incoming
      INFO:
      INFO: DO NOT CHANGE OWNER OR PERMISSIONS ON THE USUAL USER HOME DIRECTORY, e.g.:
      INFO: "/chroot/home/scptest"! THIS WILL BREAK THE SECURITY OF THE
      INFO: SSH CONFIGURATION STORED IN "/chroot/home/scptest/.ssh"!
      INFO:
      
      $ lsuser scptest
      scptest id=9999 pgrp=staff groups=staff home=/chroot//home/scptest shell=/opt/freeware/sbin/scponlyc gecos=Scponly Test User (chroot) ...
      The double slash (//) in the users home directory path is very important! With this marker, scponly determines to where the chroot() system call should be made. If there is no double slash (//) in the path of the users home directory, the chroot() system call fails. In this case the intended additional security of a chroot environment will not available!

    For logging and debugging purposes, scponly uses syslog with the auth facility and the syslog priorities info or debug. Check your syslog configuration to make sure the logging of those facilities and priorities is set up according to your needs. With the file /opt/freeware/etc/scponly/debuglevel the debug log level of scponly can be raised. To enable logging of debug messages put the string “1” in the file. To disable logging of debug messages put the string “0” in the file.

    RPM packages

    Source RPM packages

  • sudosh2: sudosh is an auditing shell filter and can be used as a login shell. Sudosh records all keystrokes and output and can play back the session as just like a VCR. Sudosh2 is a continuation of the development of sudosh.

    RPM packages

    Source RPM packages

  • tinycdb: TinyCDB is a very fast and simple package for creating and reading constant data bases, a data structure introduced by Dan J. Bernstein in his cdb package. It is used for example by the postfix package to enable the use of the cdb: lookup table file type.

    RPM packages

    Source RPM packages

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website. More information about cookies