On Friday 25 July 2003 10:24, Jeff Hedlund wrote: > Jesse Guardiani wrote: > > On Friday 25 July 2003 00:26, Tom Collins wrote: > >><http://sourceforge.net/projects/qmailadmin/> > >> > >>******* Corrected security flaw introduced in 1.0.13 ******** > >>In QmailAdmin 1.0.13 through 1.0.24, it was possible for any > >>user to configure their account (on the "Modify User" screen) > >>to forward their email to any program on the server. > >> > >>Since the program would run as the vpopmail user, this was a > >>very bad thing. The 1.0.25 release corrects this problem, > >>but will remove existing program delivery lines (other than > >>autoresponder and spam command) from a user's .qmail file if > >>they click the "Modify User" button on the "Modify User" screen. > >> > >>This is a temporary fix; we plan to improve the code that > >>alters a user's .qmail file to allow existing program delivery > >>lines to remain unchanged. > > > > How soon do you plan to fix this? > > There won't be an official release before August 1st, since Tom is in > charge of the sf.net account so we cannot release another version until > he's back to do so. > > However, we can start to code a patch that would work and test it before > he gets back.
:) Patch time. I'm about to create and submit some templating patches today, so maybe I'll take a look while I'm in there. > > > I make heavy use of program > > delivery lines, so there is no way I can install this version in anything > > but a strict test environment. > > Out of curiosity (and to help understand your situation more), how do > you create these custom program delivery lines? Via scripts to create > new users? No. Via user configuration/administration scripts for existing users. We use a spam filtering program called TMDA: http://www.tmda.net To use TMDA on mail accounts we have to insert prelines in .qmail files. Each preline is unique to that user, so setting the --enable-spam-command configure option probably won't work, unless qmailadmin supports wildcards inside the --enable-spam-command. > > And- what are the program delivery lines? I don't think that is really important. I just don't want qmailadmin to delete them, modify them, allow users to change them, or otherwise try to understand them. Displaying them is fine, but I think anything more is unnecessary. -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net
