Thanks Paul :-)
That is the case - I use Debian:-)
I gave web server rights to read dbmail.conf and now it works :-)
Peter
----- Original Message -----
From: Paul J Stevens
To: [EMAIL PROTECTED] ; DBMail mailinglist
Sent: Monday, June 28, 2004 10:12 AM
Subject: Re: [DbMail] XHTML DbMail Administration Interface Contrib
Just some input here:
If Peter is running the debian packages or uses a similar permission setup
that
would also explain his troubles. In debian the dbmail.conf is installed 0600
and
owned by root.
M. J. [Mike] O'Brien wrote:
> Hey Peter:
> dbmail-adduser runs as guest fresh out of gmake. It relies on MySQL username
> and pass in dbmail.conf.
> I just slapped DbMail onto a file server that has only a mysql40-client and
> the dbmail.conf pointing to an external cluster. Logged out and in as
> guest:guest and 'dbmail-adduser s' accessed the remote MySQL servers. I then
> used 'dbmail-adduser a' to add a user and alias and it did.
Which is a seriously hazardous situation. This means anyone with shell access
on
your machine can wreck havoc in your dbmail userdb, thereby possibly deleting
all your mail.
Unless noone has any kind of access to your webserver or shellserver you
should
avoid this setup. Almost as bad as running apache as root :-)
Imagine mr. blackhat installing a php script or cgi that has system/exec
permissions, thereby gaining access to dbmail-adduser...
IMO you should either clamp down on dbmail.conf's mode, and/or restrict
access
to dbmail-adduser.
Somekind of suexec setup is the only safe path here.
--
________________________________________________________________
Paul Stevens [EMAIL PROTECTED]
NET FACILITIES GROUP GPG/PGP: 1024D/11F8CD31
The Netherlands_______________________________________www.nfg.nl
_______________________________________________
Dbmail mailing list
[email protected]
https://mailman.fastxs.nl/mailman/listinfo/dbmail
