Tuesday, June 4, 2013

Running mini_sendmail with php-fpm chroot on Centos 6 , debian 6, ...


Chrooting a website is a good security improvement on a server with multiple websites hosted.
When you set the chroot  of php-fpm you'll not be able to send mails, I fixed this using mini_sendmail. Here's the procedure:

Download and extract your OS template on chroot directory from openvz.  (Don't forget to set the file owners correctly)
Enter chroot directory and run :
chmod 0666 dev/{tty,null,zero}
echo "8.8.8.8" > etc/resolv.conf

Now compile mini_sendmail:
cd /usr/src
wget http://acme.com/software/mini_sendmail/mini_sendmail-1.3.6.tar.gz
tar -zxf mini_sendmail-1.3.6.tar.gz
cd mini_sendmail-1.3.6


If you start compiling mini_sendmail now, you'll receive the following error and mini_sendmail will not work properly :
mini_sendmail.c:(.text+0x5df): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

To fix that edit mini_sendmail.c and in Line #148 replace :
username = getlogin();
with
username = "USERNAME";
where USERNAME is your php-fpm user .
Now compile it :
make

and copy it to usr/sbin/sendmail
/home/USERNAME/usr/sbin/sendmail
chmod 755 /home/USERNAME/usr/sbin/sendmail
chown USERNAME:USERNAME /home/USERNAME/usr/sbin/sendmail

Notes :
- I also tested mini_sendmail on chrooted ssh user, if you don't replace username with getlogin() according to above instructions, mini_sendmail will fail to work with the following error :
mini_sendmail: can't determine username

- The following error can be ignored safely :
mini_sendmail.c:(.text+0xa47): warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

- When I compiled mini_sendmail on debian 6 x64, It didn't work with the following error :
unexpected reloc type in static binarySegmentation fault
I tried to compile it on another OS ( centos 6, debian 6 i686 ) and copy the binary to the server, it worked...

No comments:

Post a Comment