[vchkpw] Binary files of vpopmail, FHS
Dear all, I'm currently doing some packaging work for vpopmail, and have reviewed the file properties. I have seen, that all files (except vusaged in 5.5) have the properties set to -rwx--x--x 1 vpopmail vchkpw. Shouldn't that be more restrictive? E.g. set to 0750 or even owned by root? In an older package of mine (it was 5.4.25) I have set it to 0750 root.root, which did never cause any problems. Regarding the FHS, I think those binaries should be moved to /usr/sbin. What do you think? Regarding the documentation I'd recommend to change the examples to install vpopmail into /var/lib/vpopmail, following the FHS 2.3 section 5.1. Best regards Johannes -- Johannes Weberhofer Weberhofer GmbH, Austria, Vienna !DSPAM:4da8512932717762716941!
Re: [vchkpw] Binary files of vpopmail, FHS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/15/2011 09:07 AM, Johannes Weberhofer wrote: Dear all, I'm currently doing some packaging work for vpopmail, and have reviewed the file properties. I have seen, that all files (except vusaged in 5.5) have the properties set to -rwx--x--x 1 vpopmail vchkpw. Shouldn't that be more restrictive? E.g. set to 0750 or even owned by root? In an older package of mine (it was 5.4.25) I have set it to 0750 root.root, which did never cause any problems. You may set the permissions how you like, but there's really nothing secret contained within the vusaged binary in 5.5. The permissions you're referring to, which have been kept from 5.4 just because there's no reason to change them, were there because the binaries statically linked authentication mechanisms that sometimes had hard-coded authentication values in them. 5.5 binaries do not statically link against the authentication backend. In this case, you would be concerned about permissions on the shared objects used for authentication. Regarding the FHS, I think those binaries should be moved to /usr/sbin. What do you think? Regarding the documentation I'd recommend to change the examples to install vpopmail into /var/lib/vpopmail, following the FHS 2.3 section 5.1. What examples are you referring to? - -- /* Matt Brookings m...@inter7.com GnuPG Key FAE0672C Software developer Systems technician Inter7 Internet Technologies, Inc. (815)776-9465 */ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2oUscACgkQIwet2/rgZyyVeQCcCyKX+Tw4921dzod5E7vYk3Y7 p8oAnAgxKHWK0z/VeihdSU6e3v+5UarO =DeIG -END PGP SIGNATURE-
Re: [vchkpw] Binary files of vpopmail, FHS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/15/2011 09:47 AM, Johannes Weberhofer wrote: Tools like vadddomain fails when called by a regular user (Error: Can not make domains directory). I haven't checked for the other tools, but I think no user except root can use those. So it could be good to change permissions to 0750 root.root. It's a kind of security improvement, too. Correct, users do not have the proper permissions to execute these commands. You may place any permissions on these files that you would like. Regular users (non-root, non-vpopmail, and non-vchkpw) cannot execute these commands because they read/write resources their uid:gid cannot access. In 5.5, the binaries do not contain any sensitive information, so being able to read or execute the binary as a regular user does not matter. You don't see any issues on moving the binaries to /usr/sbin, so you? Nope. The binaries do not care where they are located. Regarding the FHS, I think those binaries should be moved to /usr/sbin. What do you think? Regarding the documentation I'd recommend to change the examples to install vpopmail into /var/lib/vpopmail, following the FHS 2.3 section 5.1. What examples are you referring to? I had a look on doc/INSTALL. I don't see any reference to FHS pathing in doc/INSTALL. The only change in 5.5 in regards to FHS, is that vpopmail will support alternate pathing than the default ~vpopmail style. This was added to support FHS, but by default, vpopmail plans to continue its default behavior of installing under the vpopmail user's home directory. Hope that helps! - -- /* Matt Brookings m...@inter7.com GnuPG Key FAE0672C Software developer Systems technician Inter7 Internet Technologies, Inc. (815)776-9465 */ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2oW/UACgkQIwet2/rgZyyCbgCdEzXpeJHo11MaPXxacExHPilY s8wAoIekWGr8rhb56bIA+GkzKCi/fOJO =H65Q -END PGP SIGNATURE-
Re: [vchkpw] Binary files of vpopmail, FHS
Many thanks for your help, things are clear now. Am 15.04.11 16:53, schrieb Matt Brookings: I don't see any reference to FHS pathing in doc/INSTALL. The only change in 5.5 in regards to FHS, is that vpopmail will support alternate pathing than the default ~vpopmail style. This was added to support FHS, but by default, vpopmail plans to continue its default behavior of installing under the vpopmail user's home directory. Sorry, it wasn't the readme file, it was doc/INSTALL, where in the section 12. How to use vchkpw with qmail-pop3d server there are still references to /home/vpopmail. The plan to keep installation in popmail's home-dir does not make any problems, as it's easy to set the home-dir to /var/lib/vpopmail... Hope that helps! Another small question upon compilation: 5.4's vusaged can only be compiled when vpopmail has already been installed in the target destination - there is no way to compile it before installing vpopmail, is there? Many thanks, Johannes -- Johannes Weberhofer Weberhofer GmbH, Austria, Vienna !DSPAM:4da864d732711870713503!
