Sam ([EMAIL PROTECTED]) wrote:
: > > | 4) Could setuid(geteuid()) but that doesn't buy very much.
: > >
: > > That should stop the user from killing qmail-queue, methinks.
: >
: > It doesn't buy much because there is still a time when uid != euid,
: > and the signal can arrive then.
: But the temporary file does not exist yet.
Sam CC'ed me, I didn't check the list, so replied off list.
He's right, my mistake.
Changing id's would stop the attack but as others have pointed out,
it would be nice to be able to legitimately interrupt it. I don't
see a compelling reason that users be denied use of qmail-queue.
That would break qmail-qmqpd and qmail-local.
So I'm still interested that qmail-queue should clean up it's own
mess rather than wait for qmail-send to clean up what is obviously
trash. This is easy to do, but hinges on the pid file name being
one-to-one mappable to a qmail-queue process, which it intentionally
isn't, and I see no reason why not. Not much extra code.
(Personally I'm not terribly interested in whether or not changes
are made to qmail, because these are easy to hack in, but I am
interested in Dan's thinking.)
-harold
