On Thu August 21 2003 01:28, D.Monroe wrote:
> # Instead use for example 'sudo': http://www.courtesan.com/sudo/
>
> given this "trend" away from suidperl support, has anyone managed to
> use sudo with Q-S?
Thanks for your reply.
I tried it today, but unfortunately I don't understand the qmail inner
workings well enough to do this. I gave the qmaild user NOPASSWD sudo
rights:
qmaild ALL=(ALL) NOPASSWD: /var/qmail/bin/qscan-sudo
And that script is this:
#!/bin/sh
LOG=/tmp/qscan.log
/usr/bin/date >> $LOG
set >> $LOG
/usr/bin/sudo /var/qmail/bin/qmail-scanner-queue.pl $@ >> $LOG 2>&1
echo exitcode $? >> $LOG
And $LOG (owned by qmaild.qmail mode 660) shows this for the last try:
Thu Aug 21 18:11:51 CDT 2003
BASH=/bin/sh
BASH_VERSINFO=([0]="2" [1]="05b" [2]="0" [3]="1" [4]="release"
[5]="i386-slackware-linux-gnu")
BASH_VERSION='2.05b.0(1)-release'
DIRSTACK=()
EUID=2527
GROUPS=()
HOSTNAME=mtafs
HOSTTYPE=i386
IFS='
'
LOG=/tmp/qscan.log
MACHTYPE=i386-slackware-linux-gnu
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=/command:/usr/local/bin:/usr/local/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin
PIPESTATUS=([0]="0")
POSIXLY_CORRECT=y
PPID=1486
PROTO=TCP
PS4='+ '
PWD=/var/qmail
QMAILQUEUE=/var/qmail/bin/qscan-sudo
SHELL=/bin/sh
SHELLOPTS=braceexpand:hashall:interactive-comments:posix
SHLVL=1
TCPLOCALHOST=0
TCPLOCALIP=(external_IP)
TCPLOCALPORT=25
TCPREMOTEHOST=(my_reverse_DNS)
TCPREMOTEIP=(my_IP)
TCPREMOTEPORT=4353
TERM=dumb
UID=2527
_=/usr/bin/date
exitcode 0
UID 2527 is qmaild. Note there was no output, error or otherwise, from
qmail-scanner-queue.pl, and the test messages sent in that period seem
to have vanished. When I turn off $QMAILQUEUE in /etc/tcp.smtp it works
fine, so we know the qmail itself is working.
I have tried this with qmail-scanner-queue.pl itself mode 0755 and
4755; the SUID bit doesn't matter.
My guess is that there are parts of the script which need root, and
THOSE are what need sudo. Other parts need UID qmailq, and qmail won't
deliver if it's run as UID 0. I don't know perl nor qmail well enough
to fix this. I'll keep trying, but ...
This could become a major problem for the qmail-scanner project. When
Pat Volkerding refuses to include a feature in Slackware, he has good
reasons, and we can't put up a mail server with security issues.
--
Rob - /dev/rob0
-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
