Anders Brander writes:
> If you add a special group to every user you are back where you started.
I didn't say it was a good solution. I said it was a solution. Compared
to that, a lot of the alternatives look good.
> I can't see what's wrong with a mysql user per system user. That would
> be really clean and effective.
It could get rather unwieldy if you use MySQL for other things.
> If the admistrative tools is integrated into vpopmail, i fail to
> see any troble ahead (user/admin-vice).
I can see one. I set up a system user. Who wants e-mail. So then
I have to use another tool to add that user to vpopmail.
> It would completely remove any use for any setuid/setgid-hacks.
That is the one advantage I see to it. Whether or not one views that
advantage as compelling is another matter.
> > 3) A very small utility that is setgid vpsql. It does the following
> > when passed a username and password to verify.
> You will also need small tools to do all other sorts of operations,
> quota, valias and so on.
I did mention those at the end. And even said that I preferred several
small tools to one large one that use switches to decide what it did
because that would mean more code and a harder time auditing it.
> > c) Connects to MySQL.
> - and forgets username and password.
OK, I take your point. It no longer needs them at that juncture and
it's barely possible there's something exploitable later.
> It's not as simple as that, think about APOP authentication...
I don't have need of APOP so I didn't think about it. I was trying
to establish the general principle for doing it setgid with minimal
risks. I think something (well, several somethings) along those lines
would be feasible without opening up vulnerabilities. None of us like
set-id and try to avoid it, but there are times when it is better than
the alternatives (if sufficient care is taken). Compared to the major
hunk of setuid code that is sendmail and which a lot of systems run,
this ought to be far less likely to be exploited. It's not the only
solution and it may turn out not to be the best solution, but at least
it's there for consideration (and possible improvement).