Re: Whitelist/Blacklist behavior

Thu, 07 Nov 2002 20:05:45 -0800 

On Thursday 07 November 2002 10:16 pm, Kelvin D. Olson wrote:
     > > It turns out that tmda-pending is trying to read the pending
     > > directory and the files in it.  Presumably, it will want to write
     > > there as well.
     >
     > I'm not sure. My hunch is that it primarily needs to read and delete.
     > But the permission to delete is equivalent to the permission to write.

It definately needed to read the messages to parse them.  It needs to write 
the directory in order to delete them.  Probably doesn't need to write the 
message files.  That does reduce some of the security issues....

     > > But it's trying to do it as the web server user, apache.  So, to
     > > make it work, I've had to do chmod 666 on ~/.tmda/pending/* and
     > > .delivered_cache.  Now I know there are some security implications
     > > here.... What are they?
     >
     > Good question. Might increase the importance of using http
     > authentication, at least.

Ya.  Fraid so.

     > > And newly blocked messages won't get the right permissions.
     > >
     > > How do I fix this?
     >
     > Just a couple messages ago on this list, something was mentioned about
     > the umask.os setting... for unrelated subject matter. I've already
     > tossed it.

I've never even seen Python.  So I'm not quite sure what this is.  I'm 
familiar with umask.  I just don't know how to set it for tmda.  Can you give 
me a (small) clue?

     > It also might help to make the primary apache group and the primary
     > user's group the same... or add the apache user to the group that
     > naturally is associated with those .msg files. Doesn't help the
     > security risk, but might solve the "apache can't delete it" problem.

Unfortuanlely, I'm using Mandrake which is based on RedHat.  RH creates a 
separate group for EACH user.  I would have to re-configure ALL of my users 
in order to do this.  This is the right way to do it, but until I get rid of 
Mandrake, It's rather difficult.

-- 
Mike Diehl
PGP Encrypted E-mail preferred.
Public Key via: http://dominion.dyndns.org/~mdiehl/mdiehl.asc

_____________________________________________
tmda-users mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-users

Reply via email to