on 7/13/05 9:47 AM, Tom Collins <[EMAIL PROTECTED]> wrote: > On Jul 8, 2005, at 5:18 PM, Kurt Bigler wrote: >> In the case of a user with "Standard (No Forwarding)" selected and "Spam >> Detection?" checked, if I modify the user/.qmail file by hand as follows: >> >> change |/usr/bin/kdelivermail >> to |/usr/bin/kdelivermail2 >> >> then qmailadmin shows the same state after the change. Any change besides >> [...] characters added at the end are apparently ignored in the comparison. > Good point. I can tighten up the string matching to be an exact line > match.
Thanks. >> (2) When a case is detected that does not match one of the standard >> states, display the .qmail lines under a "Custom" editing mode that permits >> editing. > I think it would be OK to show the extra lines, but not to allow > editing. Heck, if the postmaster is logged in, maybe it should just > show the entire .qmail file in gray text below the radio buttons. > Letting a user for a domain edit their .qmail file opens up a huge > security hole -- one we had to fix in the 1.0 series when it was > possible to put anything in the "forward" line. > > The problem is that anything I put in my .qmail file runs as user > vpopmail. That means I can craft a program delivery line that emails > the contents of your vpopmail.mysql file to me. Or any vpasswd file. > Or just deletes ~vpopmail/domains/domain.com/someguyihate. > > I'm very resistant to adding support in QmailAdmin for editing .qmail > files directly. I understand it could be helpful if it was limited to > postmsaters and all postmasters were trustworthy. I worry about > uninformed sysadmins who might enable such a feature without realizing > the holes it opens. Admittedly being able to view the .qmail file contents (as postmaster) will be a great help. However, since I set up mail filtering I find I am needing a lot of customization that keeps putting mail filtering control outside of what QmailAdmin offers with its single spam filtering command. For example I need to test new filter variations before making them live on all accounts. So I need to be able to do the kind of thing in my original example, changing kdelivermail to kdelivermail2 so that I have a test configuration on a certain account. But allowing a filter to be specified per-account would probably open up the same security holes you were already concerned with. What comes to mind as potentially useful would be a way to have, say, 5 distinct enable-spam-command alternatives. When enabling spam filtering in this mode, there would be a choice of 5 options, each of which would be presumably secure since the command was qualified in advance at QmailAdmin config time. your concerns about security make me realize that the underlying issue here results from QmailAdmin being targeted to two different kinds of end users. On my server, only the server administrator (me) uses QmailAdmin. It seems like there might be some possible resolution for this, so that admins who install QmailAdmin for their own use only are not limited by this dual targeting. Is there a way? To clarify, if there were another distinct program almost identical to QmailAdmin but intended only for server administrator use (and with no individual user logins), then you would not be worreid, right? Ths issue is not simply having some kind of vpopmail-account (or even more dangerous) web access, because most of us server administrators already have such access, which if others found out about (and got the password), would put us at risk. The issue as I understand you is somehow the problem that the person installing QmailAdmin may not understand the risks. Yet creating another distinct program called DangerousQmailAdmin would be overkill, right? It would be much easier to just provide a --dangerous configuration option which by its name would alert the administrator doing the install that there is a potential problem, and further which would disallow non-postmaster login. Yet another thought is to provide a distinct "hostmaster" login or some such thing, which would be the only account that would allow direct .qmail editing. It might be also convenient if the hostmaster login permitted modifying multiple domains without requiring logout/login for each domain. Thanks, Kurt
