Hi all, Op vrijdag 04-05-2007 om 08:45 uur [tijdzone +0300], schreef Petre Rodan: > hi, > > On Thu, May 03, 2007 at 10:14:50PM +0200, Michael wrote: > > Hi all, > > > > On a hardened server which provides mail and web content I wanted to run > > qmailadmin. qmailadmin uses a binary in cgi-bin which is owned by user > > and group vpopmail, and has suid bit set. Before installing vpopmail I > > had my /var set to be mounted nosuid, because it'll be the first place > > any untrusted person might be able to have write access. So to make > > qmailadmin run from the cgi-bin I had to mount my /var without > > nosuid/with suid, which I'd like not to do, would there be any way > > around this? > > AFAICT qmail is not even expected to run on a non-suid-ed /var. > /var/qmail/bin/qmail-queue is a qmailq:qmail suid-ed binary.
Good point, I guess you're very right on that one... > and you should worry about /var/tmp not /var I guess. Customers will have write access with PHP, at least in some part of /var/www. So there it's more than just /var/tmp in my case, however they shouldn't be able to create any suid files anyway. > > The next problem involves tpe (trusted path execution). I set up the > > wheel group as trusted group, so all other groups are untrusted. I think > > I might need to change this so a customer group will become untrusted > > and will contain the users that I don't trust, but if everything works > > this way (every group but wheel untrusted) I think that'd even be > > better... Now the problem is qmailadmin again... It's in the cgi-bin > > dir, which is owned by user and group apache, so apache has write access > > there. qmailadmin is owned by user and group vpopmail, so tpe says it's > > not safe for apache to execute qmailadmin. If I turn tpe off it works > > just fine, but of course I want tpe on. > > you can add a different group just for TPE (not wheel) and as a worst case > scenario set it as a supplementary group for all user id's that don't work > well with it. but first try to tweak the unix permissions involved in the tpe > denial. I can't really change anything about the permissions for that certain file, because it needs to be run as vpopmail to have access to some of the vpopmail commands. Your idea about the supplemental group is a good one, I'll keep it in mind if I run into more problems. > bye, > peter Thanks, Michael Croes -- [EMAIL PROTECTED] mailing list
