[vchkpw] SIMSCAN working directory privs
I hope this belongs to this list.
I installed simscan 1.03 in a semi-production server with over 400 domains
and 2000 maildirs,
and it works really fast.
I propose a simple simscan change that can resolve some problems in first
tests (IMHO)
Simscan creates the working directory with a privilege of 700. in this way
clamd
must run with the same owner of simscan to access the msg.
Changing the privilege to 755 clamd and spamd can access the working
directory regardless of clamd process user.
To apply the change - search this
/* create the directory */
if ( mkdir(workdir, 0700) == -1 ) {
_exit(EXIT_400);
}
and replace with this
/* create the directory */
if ( mkdir(workdir, 0755) == -1 ) {
_exit(EXIT_400);
}
--
Fa
Re: [vchkpw] SIMSCAN working directory privs
At 28/09/2004 28/09/2004 +0200, you wrote:
Simscan creates the working directory with a privilege of 700. in this way
clamd
must run with the same owner of simscan to access the msg.
They work on the same files (and only on those files), so why should they
have different users?
I feel this design to be very safe, because clamd should be dedicated to
e-mail only.
There should be more safety having them only accessing the files with the
same uid/permissions.
To complete the security of the system, clamd client should be activated by
simscan user only.
Changing the privilege to 755 clamd and spamd can access the working
directory regardless of clamd process user.
mod 755 means every one in the system may access those files.
Ciao,
Tonino
To apply the change - search this
/* create the directory */
if ( mkdir(workdir, 0700) == -1 ) {
_exit(EXIT_400);
}
and replace with this
/* create the directory */
if ( mkdir(workdir, 0755) == -1 ) {
_exit(EXIT_400);
}
--
Fa
[EMAIL PROTECTED]Interazioni di Antonio Nati
http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] SIMSCAN working directory privs
At 10.14 28/09/2004, you wrote:
At 28/09/2004 28/09/2004 +0200, you wrote:
Simscan creates the working directory with a privilege of 700. in this
way clamd
must run with the same owner of simscan to access the msg.
To complete the security of the system, clamd client should be activated
by simscan user only.
Ok, I admit, I've lost a cople of hours to figure out why simscan rejected
all my mails with a 500:
my clamd user was wrong (qscand).
I suggest, then, a line in the INSTALL doc:
check that clamd runs under the same simscan user.
I feel this design to be very safe, because clamd should be dedicated to
e-mail only.
There should be more safety having them only accessing the files with the
same uid/permissions.
I agree with you, clamd should be called only by simscan, but now,that
simscan is new, everybody tries
to test it on servers configured for other solutions (ie qmailscan).
if simscan is a little friendly with other solutions it can can be tested
and adopted very fast.
mod 755 means every one in the system may access those files.
Yes, that's a fact. But the directory is created processed by clamd and
then removed.
Ciao,
Tonino
Ciao
Fa
To apply the change - search this
/* create the directory */
if ( mkdir(workdir, 0700) == -1 ) {
_exit(EXIT_400);
}
and replace with this
/* create the directory */
if ( mkdir(workdir, 0755) == -1 ) {
_exit(EXIT_400);
}
--
Fa
[EMAIL PROTECTED]Interazioni di Antonio Nati
http://www.interazioni.it [EMAIL PROTECTED]
