Greetings to the list. Would there be interest in my posting a new patch that I have submitted for incorporation into qpopper 4.0? This patch allows qpopper to automatically select or deselect server mode based on whether the user has shell access - the main factor in whether server mode is "safe" - by looking at their login shell. Introduction: This patch grew out of considering what had stood in the way of our enabling server mode for Qpopper at our site. Here, there are a substantial minority of users who have shell access on the server which handles mail delivery (though the vast majority do not.) Prudence kept us from simply enabling server mode across the board and "hoping for the best." Changing the login group for thousands of users, so that we could use the group-based server mode selection seemed likely to cause problems. One of our group (Robert Brewer) asked if we could base the server-mode on whether the user actually has shell access, based on their shell setting - and that was enough of an idea for me to dig in and code it. It seems to work nicely, and it looks like it will solve all the issues with rolling server mode out for 90% of our userbase. Usage: Server mode can be either enabled, or disabled, for a given class of users, based on whether their actual login shell (from their password entry) is one of those listed in a configuration variable, in the form of a colon-separated string. Thanks to the much cleaner design of the latest qpopper, this proved very easy for me to integrate "across the board" in the style of the other options: the option can be set either from the configure script, to get it in as a default, or from a run-time configuration file. An example of the former: ./configure --enable-shell-server-mode=/sbin/nologin An example of the latter: set shell-server-mode = "/usr/bin/false:/sbin/nologin:/usr/local/etc/no_shell" You could also exclude specific shells via either mechanism: set server-mode set shell-no-server-mode = "/bin/sh:/bin/bash:/bin/ksh:/bin/csh:/bin/tcsh" etc. Integration: I have tried to make this code as clean, elegant, portable, and transparent as feasible in a small amount of time. I don't believe any new portability issues should come up with the constructs I'm using, since the tests for group membership already presume a successful getpwent() call. I have a unified recursive diff for all of the files which were updated to make this change, and the C source for the one new source file (popper/check_shell.c). I will happily post it to the list if that meets the expectations for attachments and source to this particular list. (The whole patch + new code totals about 20K.) I've also submitted it to the qpopper-patches address. Cheers, -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- [EMAIL PROTECTED] WWJD? "JWRTFM!" - Scott Dorsey (kludge) "JWG" - Eddie Aikau
