Thanks for the response, Peter. Yes, the "security" of the app is not my
doing (otherwise I wouldn't have this problem at all!). And, yes, I removed
the shell from qmailq almost as soon as I added it.
Unfortunately my problem persists. I was hoping to not cloud this discussion
with our site-specific implementation, but...
We've hacked qmail to not set uid/gid on delivery (actually the recipient
doesn't even have an account on the machine). So, the uid/gid of the process
running the .qmail is indeed qmailq/qmail.
This is why is seems strange that with qmail in the testgrp group it still
complains.
Thanks for the help all the same.
- Scott M
> -----Original Message-----
> From: Peter Samuel [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 07, 2000 4:48 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Running Programs in .qmail
>
>
> On Mon, 7 Feb 2000 [EMAIL PROTECTED] wrote:
>
> > I'm trying to run a program for each email sent to a
> certain address. So I
> > have a .qmail file in the correct directory, which looks
> something like
> > this:
> >
> > |/var/qmail/bin/preline /usr/local/junk/test
> >
> > The app (/usr/local/junk/test) is very security conscious.
> It checks itself
> > for permissions, which must be 770 else it complains and
> doesn't run.
>
> 770 is not VERY security conscious :)
>
> >
> > Lets also say that the app has another requirement of owner/group =
> > test/testgrp. I've placed all the qmail users in the group testgrp
> > (qmaild,qmaill,qmailp,qmailq,qmailr,qmails), so the 770
> access should be
> > enough for qmail to run the app. I've tested this by giving
> qmailq a shell
> > and logging in to verify the user has permissions to run the app.
>
> Bad ideas. By the time a .qmail file is accessed, the effective uid
> and gid have been changed to the user for whom the mail message was
> intended (see the qmail pictures). So making the qmail users (qmaild
> etc) members of group testgrp is not going to help. Also giving qmailq
> a shell is a potential security nightmare - change it back now!
>
> >
> > qmail still complains about not being able to access the file.
>
> The user for whom the mail is destined needs to be in the group
> testgrp to execute the file. It sounds like this is not the case in
> your current environment.
>
> >
> > If I change the permissions on the test app to 777, then
> qmail has no
> > problem, but the security-anal app refuses to run in such a
> configuration.
>
> Of course. See above. Also see the qmail pictures again - especially
> the local delivery diagrams.
>
> >
> > Has anyone run into such a problem? Does qmail honor group
> permissions?
>
> Regards
> Peter
> ----------
> Peter Samuel [EMAIL PROTECTED]
> Technical Consultant or at present:
> eServ. Pty Ltd
> [EMAIL PROTECTED]
> Phone: +61 2 9206 3410 Fax: +61 2 9281 1301
>
> "If you kill all your unhappy customers, you'll only have
> happy ones left"
>
