On 2005-11-23, at 1154, Tom Collins wrote:
On Nov 22, 2005, at 8:50 PM, John Simpson wrote:
vpopmail isn't the cause of this problem- you're simply running into the limit of what qmailadmin allows the user to do. it probably wouldn't take much for them to add the ability to enter arbitrary lines (including "|" lines) but they haven't done it- probably because very few people need it.

Actually, it was possible during some development releases, but we realized that it opened up a big security hole. Since the .qmail file is run as the vpopmail user, it would be very dangerous to allow a user to put anything in there. A malicious user could delete ~vpopmail/domains via their .qmail file or even have the contents of ~vpopmail/etc/vpopmail.mysql emailed to them.

yeah. that's why the qmailadmin work-alike that i wrote before qmailadmin came out didn't have the ability to let a normal user put arbitrary lines in there... but it did allow the administrator (not domain-level postmaster, but machine-level administrator, who had full rights to do anything in any domain) to do it. i wrote it in there because at the time i had one client who needed it.

there's also the fact that this would expose another bug (or poor design decision) in vpopmail- when vpopmail is tied to mysql, the "valias" table (which contains the lines normally stored in .qmail- * files) have no sequence field- so if you have a .qmail file which requires a definite sequence (i.e. runs "condredirect" on one line, and then something else after it) and store those lines in the mysql "valias" table, there would be no guarantee that the "condredirect" line would be run first.

A poor design decision that at least I've been aware of for awhile, but haven't had time to address. Simply adding an auto-increment field to that table and sorting on it would be a good start.

yup. i knew you guys were aware of it and just backlogged, i only mentioned it so he would be aware of it and not move forward with the mysql integration if he had a need for definite sequencing- because he would lose that capability... trying to head off the problem before it happens.

if i weren't backlogged myself at the moment, this is one of those things i would probably write the fix for- however it would be fairly extensive. it would involve changes to vdelivermail, valias, vuserinfo, and probably a few other vpopmail programs... as well as qmailadmin, to add the multi-line and sequencing support options. lots of little changes, and i'm not as familiar with the code for vpopmail and qmailadmin as i am with qmail.

| John M. Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/           <[EMAIL PROTECTED]> |
| Mac OS X proves that it's easier to make UNIX  |
| pretty than it is to make Windows secure.      |

Attachment: PGP.sig
Description: This is a digitally signed message part

Reply via email to