-----BEGIN PGP SIGNED MESSAGE-----
Hello Bill,
Saturday, May 26, 2001, 6:44:21 AM, you wrote:
> Just to be devil's advocate - what are the real threats behind the
> bin running SUID root?
> I mean - what's in the code that can be broken? Are the functions
> solid enough to only make limited calls?
IMHO, the question isn't even whether sqwebmail is secure (as no
software is really secure and I surely aren't qualified to answer
this
question) but whether you can get away with running it not suid root.
If you can (no problem at all when running vpopmail
without /etc/passwd users) you of course should since this will save
your machine
(not necessarily your mails, though as sqwebmail needs direct r/w
access to the mail directories) from being rooted in case an
sqwebmail exploit is found. But this is told by even the baddest
security related book out there so if people don't obey it,
one can't help them, IMNSHO...
Best regards,
Gabriel
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i
iQEVAwUBOxE5TcZa2WpymlDxAQGApwgAkiL2PeuNaSz+BpxWyO9AgmwlgKXh9yPd
Y7l9ctH6h6pVzy07C1BAUafCUx4jJsJ3odF/iquAUr6KUKNDWV3qFSKGWlETemDP
oQY4tFdKTxhulBL/OectoT6iENtEGRl1RoqmOK9ZzD13Fym1UsAT5oz4yKn4mJqh
5EX98uulKy2q0vBGwYMKZCIMd8ehrizCvlM799vq1tQt2GJ8GV3uRm/e7JnQ36Ny
8hKDroHStkOgZiytPRn5+YojzMLlh5RKv6ngTOij2ZGn893oL55qAWf5/1A8eWyr
2S8EVHYCgs5a3nX+KOZVHzQAZRuU9sY4YEj12iElIGjWgXMEXsPBfg==
=Va/0
-----END PGP SIGNATURE-----
