Re: [vchkpw] Real users inside a virtual domain
On 29/07/2006, at 08:45, John Simpson wrote: On 2006-07-27, at 0817, Charles Butcher wrote: A few power users within a virtual email domain have shell login access to the server. I want their mail to be delivered to their home directory, not to a vpopmail account. I also want the .qmail-ext mechanisms to work for them, under their control. i've never gotten this to work, at least not directly... the closest i was able to do was tell them to configure pine/elm/mutt as an IMAP client. i'm the only "power user" on my server who understands .qmail files well enough to mess with them, and i do my own custom .qmail file edits as root. you may want to try adding "localhost" to the /var/qmail/locals file (send a HUP to qmail-send) and create a ~vpopmail/domains/domain.xyz/.qmail-userid file containing "&[EMAIL PROTECTED]", so that their incoming mail is re-delivered to their system userid. Thanks, John, I did some experiments and worked out the following: if ~vpopmail/domains/domain.xyz/.qmail-userid is edited to contain: |forward [EMAIL PROTECTED] and you then link .qmail-userid-default to .qmail-userid then it all works as expected: [EMAIL PROTECTED] is forwarded to [EMAIL PROTECTED] [EMAIL PROTECTED] is forwarded to [EMAIL PROTECTED] and the exact same file contents work for any value of userid so I could conceivably just link as many different .qmail-userid and .qmail-userid-default to the same "master" file as I want (Note that symlinks do not show up in qmailadmin's forwards list, but if you use hard links they do) qmailadmin 1.2.10 will not let you put the |forward statement in the .qmail file directly, but once you have manually edited it, qmailadmin shows the forwarding line in italics (without the leading |). So at least you can see what the file contains. I'm thinking of making these special .qmail files owned by root and group vckpw read-only so they can't be accidentally modified with qmailadmin. Cheers!
Re: [vchkpw] Real users inside a virtual domain
On 2006-07-28, at 1721, Matt Kane wrote: ... why are you replying via private email? this conversation started on the vchkpw list, it should stay there. there's nothing in your message which would justify it leaving the list. I havn't tried this but would it not be possible to simply change where the user home directory is pointed in the vpopmail database? I believe there may be some permission issues but it seems like it could potentially work. "may be some permission issues" is a major understatement. the vpopmail domain directory and all of its contents are owned by the numeric uid/gid specified in the domain's users/assign entry, which is usually userid "vpopmail" and group "vchkpw". the qmail- local process which handles the delivery process will be running as this uid/gid. this means that the user would have to make their Maildir writable to the vpopmail userid in order for deliveries to be possible. this also means that they could set up a .qmail file which runs an arbitrary command as the vpopmail user, and therefore makes it possible for them to do anything with any mailbox on the system. if i were one of these system users, it would be trivial for me to read anybody's mailbox, or add or delete mailboxes, or reset other peoples' passwords, or if the system admin were stupid enough to use plain-text passwords, i could get a list of the passwords for every mailbox on the system. ten years' of building and running ISP's and mail servers has taught me that there is no such thing as being too careful. i won't say i'm the best in the world at finding security holes, but if i can find something like this, it's a good bet that the black-hat hackers, script kiddies, and other kinds of ankle-biters out there will already have found out about it. the safe and simple way to do it is like i said, forward it to a "local" address so that the normal qmail mechanisms do the delivery, AS the user's uid/gid. no special permissions are needed, and any scripts that they might add to a .qmail file would run as their own uid/gid, giving them no more access to the system than they would otherwise have. Another trick would be to make a symbolic link in the users folder to link to the system .qmail file. what do you mean by "the users folder"? and what do you mean by "the system .qmail file"? -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Real users inside a virtual domain
On 2006-07-27, at 0817, Charles Butcher wrote: A few power users within a virtual email domain have shell login access to the server. I want their mail to be delivered to their home directory, not to a vpopmail account. I also want the .qmail-ext mechanisms to work for them, under their control. i've never gotten this to work, at least not directly... the closest i was able to do was tell them to configure pine/elm/mutt as an IMAP client. i'm the only "power user" on my server who understands .qmail files well enough to mess with them, and i do my own custom .qmail file edits as root. you may want to try adding "localhost" to the /var/qmail/locals file (send a HUP to qmail-send) and create a ~vpopmail/domains/ domain.xyz/.qmail-userid file containing "&[EMAIL PROTECTED]", so that their incoming mail is re-delivered to their system userid. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part