On 2005-08-25, at 0907, Rick Macdougall wrote:
Tijs Zwinkels wrote:
It seems that both qmailadmin and the delivery process 'setuid' to the user that's receiving the mail. The problem is: the vpopmail.mysql file isn't readable by 'normal' users. Nor i want it to be readable by my users: With the information in this file, they could logon and alter the database for every user on the system!

Any ideas on how to handle this?

I do the same thing here and I run qmail-smtpd as root. Otherwise it doesn't work as you have seen.

part of the reason that qmail is broken into several parts is to limit the amount of damage that can be done by a security breach. running qmail-smtpd as root is not necessary, and is in fact dangerous. of course there is a $500 guarantee on the security of qmail's code, but (1) that doesn't apply if you're using any qmail patches (and nowadays, who isn't?) and (2) if somebody does find a security hole (and chances are it will be because of a problem with a patch rather than with qmail itself) do you want your system to be one of the first victims?

| John M. Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/           <[EMAIL PROTECTED]> |
| Mac OS X proves that it's easier to make UNIX  |
| pretty than it is to make Windows secure.      |

Attachment: PGP.sig
Description: This is a digitally signed message part

Reply via email to