Hi all, On a hardened server which provides mail and web content I wanted to run qmailadmin. qmailadmin uses a binary in cgi-bin which is owned by user and group vpopmail, and has suid bit set. Before installing vpopmail I had my /var set to be mounted nosuid, because it'll be the first place any untrusted person might be able to have write access. So to make qmailadmin run from the cgi-bin I had to mount my /var without nosuid/with suid, which I'd like not to do, would there be any way around this?
The next problem involves tpe (trusted path execution). I set up the wheel group as trusted group, so all other groups are untrusted. I think I might need to change this so a customer group will become untrusted and will contain the users that I don't trust, but if everything works this way (every group but wheel untrusted) I think that'd even be better... Now the problem is qmailadmin again... It's in the cgi-bin dir, which is owned by user and group apache, so apache has write access there. qmailadmin is owned by user and group vpopmail, so tpe says it's not safe for apache to execute qmailadmin. If I turn tpe off it works just fine, but of course I want tpe on. How do you work around these problems? Did you own the apache cgi-bin (that's where qmailadmin lives) by user root and gave group ro access? I think that would solve the problem as far as tpe is concerned... Some help would be very welcome. Regards, Michael Croes -- [EMAIL PROTECTED] mailing list
