hi, On Thu, May 03, 2007 at 10:14:50PM +0200, Michael wrote: > Hi all, > > On a hardened server which provides mail and web content I wanted to run > qmailadmin. qmailadmin uses a binary in cgi-bin which is owned by user > and group vpopmail, and has suid bit set. Before installing vpopmail I > had my /var set to be mounted nosuid, because it'll be the first place > any untrusted person might be able to have write access. So to make > qmailadmin run from the cgi-bin I had to mount my /var without > nosuid/with suid, which I'd like not to do, would there be any way > around this?
AFAICT qmail is not even expected to run on a non-suid-ed /var. /var/qmail/bin/qmail-queue is a qmailq:qmail suid-ed binary. and you should worry about /var/tmp not /var I guess. > The next problem involves tpe (trusted path execution). I set up the > wheel group as trusted group, so all other groups are untrusted. I think > I might need to change this so a customer group will become untrusted > and will contain the users that I don't trust, but if everything works > this way (every group but wheel untrusted) I think that'd even be > better... Now the problem is qmailadmin again... It's in the cgi-bin > dir, which is owned by user and group apache, so apache has write access > there. qmailadmin is owned by user and group vpopmail, so tpe says it's > not safe for apache to execute qmailadmin. If I turn tpe off it works > just fine, but of course I want tpe on. you can add a different group just for TPE (not wheel) and as a worst case scenario set it as a supplementary group for all user id's that don't work well with it. but first try to tweak the unix permissions involved in the tpe denial. bye, peter -- petre rodan <[EMAIL PROTECTED]> Developer, Hardened Gentoo Linux
pgpcXqVeAfGcI.pgp
Description: PGP signature
