On Friday 06 August 2004 11:53 am, Hugh Beaumont wrote:
> --- Jeremy Kitchen <[EMAIL PROTECTED]> wrote:
> > I don't understand why you're so concerned with having the pop3 server
> > run as root. qmail-popup has no remote root holes (at least stock, which
> > is what most people use, as I don't think there are any patches out there
> > that directly affect qmail-popup other than maybe the errno patch) and
> > unless your checkpassword replacement (in this case, vchkpw) has any
> > (which, I've never heard of :), I don't see the need for concern.
> That's very good advice. I think I may eventually switch back. It always
> just bugged me a bit that it was running as root when I was able to run
> qmail-smtp as non-root. But you are right, any attempt to allow non-root
> system accounts would just cause even more secure issues due to all the
> non-standard changes I'd have to make. I guess I'm just paranoid :)
well, unpatched qmail-smtpd really has no reason to run as any specific user.
qmail uses the qmaild user because the qmaild uid is hardcoded into
qmail-queue, and if qmail-queue is invoked by that uid, it considers it to be
coming 'from the network'. Any and all users should be able to use
qmail-queue (unless you've modified the permissions on the binary, which,
while not very common, isn't unreasonable).
On the other hand, qmail-pop3d invokes an authenticator, which may need to
read files owned by root, and may need to setuid to any arbitrary userid on
the system. Therefore it MUST run as root, as non-root users can't setuid.
This is similar to the reasoning behind qmail-lspawn needing to run as root.
But I agree, I think you're just paranoid. (which is fine, and I'm trying to
ease your paranoia :) I'd rather deal with a paranoid admin than one who
doesn't think before doing things that could potentially be dangerous (like,
a publicly accessible network service run as root).
Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
[EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l
kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail