On 2007-08-22, at 1952, John Simpson wrote:
On 2007-08-22, at 1534, Bob wrote:
Many of us use either qmail-scanner-queue or simscan via patched
qmail ahead of vpopmail. If, as is good prcatice, we allow the
scanner to run under its own user ID, vchkpw will fail because
instead of running as user "vchkpw" it is running as the scanner
user which doesn't have access to the password files. I would like
to suggest that in the make install, the permission for vchkpw be
set to 4711 so that it will always execute as the vchkpw user.
Doing this will eliminate a bit of extra work when upgrading and
will stop the large number of user questions when they do their
qmail installs.
i've been doing this for several years.
let me correct this statement... i DID this for years, but i don't do
it any longer.
the problem that bob is talking about is this- if somebody is using
the normal AUTH patch for qmail, and wants to use "vchkpw" as a
method of allowing qmail-smtpd to validate AUTH commands, the
"vchkpw" command needs to have permission to read the vpasswd.cdb
files. and if it runs as the "qmaild" user, it doesn't have that
permission.
one solution, and what i did myself for a few years, is to make
"vchkpw" run setuid root. however, some people set up vpopmail
domains using different system uid's (i.e. vadddomain with the "-u"
option) for different domains, as a way to implement "domain quotas"
by setting a filesystem quota on the uid which controls the domain.
in this situation, you do NOT want vchkpw to be setuid to the
vpopmail user.
a better solution is to make qmail-smtpd use something other than a
checkpassword program (which is what "vchkpw" actually is) to verify
passwords. this was the reason that i wrote an addition to my
combined qmail patch, which teaches qmail-smtpd to use an "auth.cdb"
file, with email addresses as keys and encrypted passwords as values,
to validate AUTH commands. since i've started using this, i haven't
needed "vchkpw" to be setuid, and in fact it's not setuid on my
server any more.
one of these days i'll get around to writing an AUTH_CDB patch for
djb's virgin qmail-1.03 code, and probably for netqmail-1.05 as well,
but for now it's available in my combined patch (which has lots of
other yummy features as well.)
| John M. Simpson--- KG4ZOW ---Programmer At Large |
| http://www.jms1.net/ <[EMAIL PROTECTED]> |
| http://video.google.com/videoplay?docid=-1656880303867390173 |
PGP.sig
Description: This is a digitally signed message part