On Friday 06 August 2004 11:26 am, Hugh Beaumont wrote:
> > > qmail-pop3d runs as vpopmail - everything works except system account
> > > password checking

> > ls -l /etc/shadow
> > nuff said.

> Thanks for the, um, help :)

more like a hint :)

> Obviously /etc/shadow is owned by root.root - this is why I assume there is
> know way to do this without running some part of the system as root or
> doing some funky group manipulations (all of which I would view as being a
> very bad idea).

and if you did any group permissions on the /etc/shadow file, it would 
probably go away the second you added another user, unless you hacked your 
user modification programs, wrote your own, or did it manually, all of which 
are possible, but a complete waste of time in my opinion.

> However I thought that there may have been a prefered way among the group
> members of handling this problem. I assume that most people just run
> vpopmail using only vpopmail owned accounts. However I also assume that if
> anyone is using system accounts that they aren't too thrilled with the idea
> of running it as root. I was hoping to hear of of any other possible ways
> to get around this.

well, even if /etc/shadow was readable by the vpopmail user, each individual 
user's mail store probably isn't (for the system users), so that creates a 

It would take a whole lot of hacking, and it might work, but I doubt it's 
worth the time, and it may actually open up more security problems than it 
supposedly 'solves'.

I don't understand why you're so concerned with having the pop3 server run as 
root.  qmail-popup has no remote root holes (at least stock, which is what 
most people use, as I don't think there are any patches out there that 
directly affect qmail-popup other than maybe the errno patch) and unless your 
checkpassword replacement (in this case, vchkpw) has any (which, I've never 
heard of :), I don't see the need for concern.

On my mail server, I've been using system accounts with vmailmgr for several 
years, and I have never been worried about the security of my pop3/imap 
servers.  In fact, the thing I'd be worried the most about is clear text 
passwords, but I have SSL-enabled pop3, imap, and smtp services, so that 
problem is solved.


Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
  [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l
        kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail

Reply via email to