On Wed, Sep 08, 1999 at 11:24:45AM +0500, Dmitry Niqiforoff wrote:
> Is there any suggestions about how to avoid all the potential
> problems?
Yes.
1) Hack qmail-local to deny | usage for your users (check the gid?).
2) Prevent the users from creating .qmail files. Our users homedirs are
owned by someone else. We give them subdirectories to use. Any dot file
that we allow them to use are a symbolic link to a normal file in a sub
directory. That way we don't have to worry about all other possible dot
files that might give them the right to run something. We use a simple
web page that let them configure forwarding, instead of letting them
modify the files.
3) Hack qmail-local to chroot to the users' homedirs before running any
commands. That way you can limit the damage the user may do and still let
them run some programs. We do this for our users cgi programs. Don't forget
resource limits if you follow this path...
/Sebastian
