Hi Brian Thanks for the reply.
I know setuid to another user is also mentioned in the SECURITY.html. I have a predicament. I have installed the SqWebMail as a setuid root program and accessed as https://mail.mydomain.com/cgi-bin/sqwebmail?index=1 (SSL enabled). My SqWebMail setup authenticates passwords from a MySQL database. Now I need to install another CGI application written in Perl to manage password table and other email related tables. I have multiple domains in my server belongs to different companies. Since my mail.mydomain.com is not suEXEC, it is necessary to enable world readable and executable permissions to this CGI application. Inside this application, there are very sensitive information such as userid and password to connect to the database. Since the application is world-readable, CGI programs do not belong to our company can easily read the userid and password to connect the database. This is a serious security breach. One way to solve this is to enable suEXEC to mail.mydomain.com. Then setuid programs such as SqWebMail cannot use. The other options is put that mail management application to another host. Then I need to buy another security certificate for that host because first thing this mail management application ask is to login. So, what do you suggest in this case for me? I have read in the mailing list that the SqWebMail is designed to run as a setuid program only. Is there any patch available for the SqWebMail to install it as a normal CGI program without any setuid? Since certain uses of the SqWebMail such as authenticate passwords against a database or LDAP does not require it to run as a setuid program provided you make sure that maildirs, cache, etc. are readable by the SqWebMail, could I request a compile-time option to disable setuid and installed as a normal CGI program? Best regards Sagara --- Brian Candler <[EMAIL PROTECTED]> wrote: > On Thu, Oct 23, 2003 at 09:01:23AM -0700, Sagara > Wijetunga wrote: > > If the SqWebMail is run as a particular user and > > maildirs are owned by that user, to validate > passwords > > from a SQL database, is it still necessary the > > SqWebMail to be installed as a setuid root > program? > > No, it can be run setuid that user instead. I've had > it running that way > with an LDAP backend. You need to chown the > authdaemond socket to that user > as well. > > Regards, > > Brian. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
