Sagara Wijetunga writes: > I have a predicament. I have installed the SqWebMail > as a setuid root program
Not a good idea. A hole in sqwebmail could allow somebody to execute arbitrary code as root. Sqwebmail is big and complicated. Mr Sam is a good coder, but it's always possible to miss something. > I have multiple domains in my server belongs to > different companies. Since my mail.mydomain.com is not > suEXEC, it is necessary to enable world readable and > executable permissions to this CGI application. Not a good idea. > One way to solve this is to enable suEXEC to > mail.mydomain.com. That is a better idea, even if Mr Sam does not support it. > Then setuid programs such as SqWebMail cannot use. Chown all your mail domains and their contents, and sqwebmail, to the same user and group. If you use vpopmai then change them to vpopmail:vchkpw. Make sqwebmail an ordinary script not a setuid one. If you're using authdaemon for anything you may have to change the ownership of its socket. Make /var/cache/sqwebmail and contents owned by the same uid that you used for sqwebmail. > I have read in the mailing list that the SqWebMail is > designed to run as a setuid program only. Mr Sam only supports running as setuid. > Is there any patch available for the SqWebMail to > install it as a normal CGI program without any setuid? No patch is needed. It will run quite happily under suexec provided you create the right environment. It is suexec itself that refuses to run setuid CGIs (and you can get around that if you really have to). If the ownerships and permissions of all the data directories and files match that of sqwebmail then it doesn't need setuid. Take the setuid off sqwebmail, add User and Group directives in the appropriate part of your Apache config and suexec will quite happily run it. Well, that works with vpopmail. I don't know if there are problems with any of the alternatives to vpopmail that would require setuid root in order to function correctly. > Since certain uses of the SqWebMail such as > authenticate passwords against a database or LDAP does > not require it to run as a setuid program provided you > make sure that maildirs, cache, etc. are readable by > the SqWebMail, The maildirs also have to be WRITEable by sqwebmail... > could I request a compile-time option > to disable setuid and installed as a normal CGI > program? You can request but my guess is your request will be ignored. You can use the --with-cacheowner configure option to control the ownership of the cache. After that it's just matter of a chown and chmod on the sqwebmail binary if your mail domains have the same owner. The options --with-suexec-user and --with-suexec-group would be cleaner, but Mr Sam appears to be vehemently against supporting suexec so you'll just have to do some minor post-install tweaking. Perhaps somebody would like to rewrite this a little and add it to the unofficial FAQ. -- Paul Allen Softflare Support
