RE: [courier-users] Webmail only works SUID root????
From: Brian Candler [mailto:[EMAIL PROTECTED]] You need to be root for PAM to be able to read your shadow password file. If you are running a separate authdaemond then you can make sqwebmail suid to some other user, and chown the authdaemon socket to that uid. However, all your maildirs will also have to be owned by that uid (which is OK if you are building a large virtual-hosting system where none of the users have Unix shell accounts) This sounds interesting. I am running a system with all virtual users who are all under the same uid. I don't quite follow what you mean by chown the authdaemon socket. What/where is the authdaemon socket? I tried to set this up once before and I couldn't make it work. Could someone post an example of exactly what needs to be changed to make this work? Thanks, Bowie --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Webmail only works SUID root????
On Wed, Jan 22, 2003 at 09:02:51AM -0500, Bowie Bailey wrote: From: Brian Candler [mailto:[EMAIL PROTECTED]] You need to be root for PAM to be able to read your shadow password file. If you are running a separate authdaemond then you can make sqwebmail suid to some other user, and chown the authdaemon socket to that uid. However, all your maildirs will also have to be owned by that uid (which is OK if you are building a large virtual-hosting system where none of the users have Unix shell accounts) This sounds interesting. I am running a system with all virtual users who are all under the same uid. I don't quite follow what you mean by chown the authdaemon socket. What/where is the authdaemon socket? It's a Unix domain socket, in the filesystem, which authdaemon clients use to talk to authdaemond. I have ./configure'd Courier to use non-standard locations, so you'll have to look for it. In my case it's /var/courier-imap/authdaemon/socket /var/sqwebmail/authdaemon/socket # ls -ld /var/courier-imap/authdaemon drwx-- 2 exim exim 512 Jan 21 15:38 /var/courier-imap/authdaemon # ls -l /var/courier-imap/authdaemon total 2 -rw--- 1 root exim 0 Aug 8 09:47 lock -rw-r--r-- 1 root exim 6 Jan 21 15:38 pid srwxrwxrwx 1 root exim 0 Jan 21 15:38 socket (the 'authdaemon' directory which contains the socket will also need to have the right permissions; as you can see the uid of the MTA is 'exim'). Brian. --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
RE: [courier-users] Webmail only works SUID root????
From: Brian Candler [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 12:56 PM I don't quite follow what you mean by chown the authdaemon socket. What/where is the authdaemon socket? It's a Unix domain socket, in the filesystem, which authdaemon clients use to talk to authdaemond. I have ./configure'd Courier to use non-standard locations, so you'll have to look for it. In my case it's /var/courier-imap/authdaemon/socket /var/sqwebmail/authdaemon/socket # ls -ld /var/courier-imap/authdaemon drwx-- 2 exim exim 512 Jan 21 15:38 /var/courier-imap/authdaemon # ls -l /var/courier-imap/authdaemon total 2 -rw--- 1 root exim 0 Aug 8 09:47 lock -rw-r--r-- 1 root exim 6 Jan 21 15:38 pid srwxrwxrwx 1 root exim 0 Jan 21 15:38 socket (the 'authdaemon' directory which contains the socket will also need to have the right permissions; as you can see the uid of the MTA is 'exim'). Ok, so with that setup, I would need to chown the webmail client to exim and make sure exim has permissions on the maildirs, right? Bowie --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Webmail only works SUID root????
On Wed, Jan 22, 2003 at 01:15:44PM -0500, Bowie Bailey wrote: # ls -ld /var/courier-imap/authdaemon drwx-- 2 exim exim 512 Jan 21 15:38 /var/courier-imap/authdaemon # ls -l /var/courier-imap/authdaemon total 2 -rw--- 1 root exim 0 Aug 8 09:47 lock -rw-r--r-- 1 root exim 6 Jan 21 15:38 pid srwxrwxrwx 1 root exim 0 Jan 21 15:38 socket (the 'authdaemon' directory which contains the socket will also need to have the right permissions; as you can see the uid of the MTA is 'exim'). Ok, so with that setup, I would need to chown the webmail client to exim and make sure exim has permissions on the maildirs, right? I am running sqwebmail setuid to exim; courier-imap with TCPDOPTS=-nodnslookup -noidentlookup -user=exim in the pop3d/imapd config files; and my MTA is delivering all files as user 'exim'. Regards, Brian. --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Webmail only works SUID root????
- Original Message - From: Eric Livingston [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 21, 2003 11:48 AM Subject: [courier-users] Webmail only works SUID root I'm trying to get Webmail working, but I find that it denies any logins at all (claiming invalid user ID or password) unless I make the webmail executable suid root. This is clearly not agreeable - clearly there's something that webmail is trying to access that apache:apache does not have access to. I'm using the authdemon with PAM, and apache 2. What file(s) need to be chmoded or chowned to allow webmail to access them? Or is webmail incompatible with authdemon? Thanks, Eric Eric, webmail needs RW access to $USER/Maildir to read the user's mail files, move, delete, etc as they choose to do with the webmail interface. Unlike other imap based web clients (which are rather inefficient), sqwebmail bypasses the imap server step and gets right to the files. Installed as performed by the install scripts (per INSTALL instructions), webmail works just fine, and yes, its SUID root. Cheers, andy --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Webmail only works SUID root????
On Tue, Jan 21, 2003 at 11:48:10AM -0500, Eric Livingston wrote: I'm trying to get Webmail working, but I find that it denies any logins at all (claiming invalid user ID or password) unless I make the webmail executable suid root. This is clearly not agreeable - clearly there's something that webmail is trying to access that apache:apache does not have access to. I'm using the authdemon with PAM, and apache 2. You need to be root for PAM to be able to read your shadow password file. If you are running a separate authdaemond then you can make sqwebmail suid to some other user, and chown the authdaemon socket to that uid. However, all your maildirs will also have to be owned by that uid (which is OK if you are building a large virtual-hosting system where none of the users have Unix shell accounts) That's why you shouldn't just chown the socket to 'apache' - not only would all CGIs on your system have access to the authdaemon socket, they would have access to all maildirs! If your users have separate uids, i.e. separate entries in /etc/passwd, then you *must* run sqwebmail suid root, so that it has sufficient privilege to be able to change its uid to the appropriate user. Regards, Brian. --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users