Nathanael D. Noblet wrote: > On 01/21/2011 05:20 PM, Frantisek Hanzlik wrote: >> I'm not Apache guru, but I take Your above configuration (well, >> for simplicity without Auth* and Require directives, and with >> adding "SuexecUserGroup dspam dspam" as my DSPAM cgi scripts >> requires this), and this config work OK (at Fedora 13 and 14). > > > Hello, > > I'm the package maintainer for DSPAM on Fedora and RHEL and wonder > what the implications are of SuexecUserGroup. I'll admit I use DSPAM but > don't use the web ui. I've seen HOWTOs that describe using > SuexecUserGroup, as well as some without. Matěj is correct, apache will > not allow SuexecUserGroup outside of /var/www so before I move it, I'm > wondering why some HOWTOs have that as a necessity, and others function > without SuexecUserGroup. Can anyone explain? I gather that > SuexecUserGroup allows it to run with the same user privileges as it > normally does (dspam:mail on fedora/EPEL). However I'm wondering if that > is required.
In my configuration (hasw drv backend, dspam-home=/var/dspam, delivery-agent=/usr/bin/procmail.dspam) dspam must: - have RW access to /var/dspam/data/ stuff, running as ordinary user. Then I have it SGID, dspam:dspam owned, mode 2555 - be successfully able to run procmail LDA, which must be root SUID and has group mail and 4550 mode for me. Thus I have dspam in "mail" group. - Web UI script tree must be (readonly) accessible from apache user or group (how Apache is running). It is solved e.g. by setting RO access for other, it isn't probably bigger security risc. - dspam must be able to run from theses cgi scripts. ==================================================== I have solved this by suexec-ing to dspam:dspam and then things are working without any additional arrangement. But this may be solved in other ways too, when cgi scripts are running implicitly, as apache:apache. Then apache must be able RW access to /var/dspam (dspam-home) tree. It may be solved e.g. adding apache to dspam group and setting /var/dspam/data directories SGID or, better, using default ACLs. Matěj probably did go this way. I think somewhere in mailing lists was analysed (probably directly from Stevan Bajić or Jonathan A. Zdziarski) dspam filesystem permission requirements. When I wrote here some mistakes, please correct me. Franta Hanzlik ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Dspam-user mailing list Dspam-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspam-user
