Assuming that Thomas Ackerman is using Sqwebmail, Vpopmail, and Apache with
the following setup...
Sqwebmail - uses vpopmail authentication
Vpopmail - username/password pairs are stored in
~vpopmail/domains/some_domain_here/vpasswd (and ./vpasswd.cdb) and are
readable only by vpopmail:vchkpw (no rwx permissions for others)
Apache - runs as nobody:nobody
...then Sqwebmail does not use PAM and won't require setuid/setgid root for
that method of authentication. Also, setting setuid/setgid to
vpopmail:vchkpw for the sqwebmail binary will not cause Apache (and other
httpd's) to execute it under that user:group, which means sqwebmail cannot
access ~vpopmail/domains/some_domain_here/vpasswd (and ./vpasswd.cdb).
However, if Thomas runs httpd as root, then the setuid/setgid bits on the
sqwebmail binary will cause the web server to execute the cgi as
vpopmail:vchkpw. I would not recommend running httpd as root though. Thomas
should configure httpd to run as vpopmail:vchkpw or some other user:group
that has read permission in ~vpopmail. Using SuExec may be an option if the
aforementioned change is not acceptable.
> -----Original Message-----
> From: Mihai NEGREA [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 07, 2000 6:35 AM
> To: Thomas Ackermann
> Cc: Zealous One; [EMAIL PROTECTED]
> Subject: RE: suid root problems
>
>
> you have to make it suid root so it can access pam authentification... if
> you make it suid some other non-root group it would not be able to read
> the passwords.
>
> Negrea Mihai
> email: [EMAIL PROTECTED]
> phone: +4093612495
>
>
> On Thu, 7 Sep 2000, Thomas Ackermann wrote:
>
> > On Thu, 07 Sep 2000, Zealous One wrote:
> > > Is your web server configured to execute cgi's as
> vpopmail:vchkpw rather
> > > than some other user like nobody:nobody?
> > >
> > shouldn't it be irrelevant how the server is configured if i adjust my
> > sqwebmail binary to: -rwsr-sr-x 1 vpopmail vchkpw ??
> >
>
>
