Only suid or suid & guid? qmail-qstat and qmail-qread both
rely on the qmail group to run through the queue.
man -M /var/qmail/man qmail-qstat
Here's a quick binary wrapper that I was thinking about using
that'd run as root, but would only have permission to run if you're in
the staff or wheel group. Thoughts? -sc
PS To change to qmail-qread:
cp qmail_qstat.c qmail_qread.c
perl -p -i -e 's/QMAILQSTAT/QMAILQREAD/g' qmail_qread.c
perl -p -i -e 's/qmail-qstat/qmail-qread/g' qmail_qstat.c
/* $Id: qmail_qstat.c,v 1.1 2001/04/10 21:48:02 sean Exp $ */
#include <unistd.h>
#include <stdio.h>
#define QMAILQSTAT "/var/qmail/bin/qmail-qstat"
int main(void) {
execlp(QMAILQSTAT, "qmail-qstat", NULL);
printf("Woa! Large problem: didn't exec qmail-qstat!\n");
return(1);
}
On Tue, Apr 10, 2001 at 04:11:37PM -0700, Ian Lance Taylor wrote:
> Delivered-To: [EMAIL PROTECTED]
> Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
> Precedence: bulk
> Delivered-To: mailing list [EMAIL PROTECTED]
> Mail-Followup-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: qmail-qread and qmail-qstat as suid root...
> From: Ian Lance Taylor <[EMAIL PROTECTED]>
> Date: 10 Apr 2001 16:11:37 -0700
> In-Reply-To: <[EMAIL PROTECTED]>
> User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
>
> Sean Chittenden <[EMAIL PROTECTED]> writes:
>
> > Anyone know of any reasion why I shouldn't set the qmail-qread
> > and qmail-qstat as setuid root? I've looked through the source, but
> > am looking for a last confirmation or "don't do that." -sc
>
> Make them setuid qmailq, not setuid root.
>
> That should be safe enough, although there is a slightly increased
> chance that a local user can do something horrible to your mail queue.
>
> Ian
--
Sean Chittenden
PGP signature
