On 2007-08-22, at 1952, John Simpson wrote:
On 2007-08-22, at 1534, Bob wrote:


Many of us use either qmail-scanner-queue or simscan via patched qmail ahead of vpopmail. If, as is good prcatice, we allow the scanner to run under its own user ID, vchkpw will fail because instead of running as user "vchkpw" it is running as the scanner user which doesn't have access to the password files. I would like to suggest that in the make install, the permission for vchkpw be set to 4711 so that it will always execute as the vchkpw user. Doing this will eliminate a bit of extra work when upgrading and will stop the large number of user questions when they do their qmail installs.

i've been doing this for several years.

let me correct this statement... i DID this for years, but i don't do it any longer.

the problem that bob is talking about is this- if somebody is using the normal AUTH patch for qmail, and wants to use "vchkpw" as a method of allowing qmail-smtpd to validate AUTH commands, the "vchkpw" command needs to have permission to read the vpasswd.cdb files. and if it runs as the "qmaild" user, it doesn't have that permission.

one solution, and what i did myself for a few years, is to make "vchkpw" run setuid root. however, some people set up vpopmail domains using different system uid's (i.e. vadddomain with the "-u" option) for different domains, as a way to implement "domain quotas" by setting a filesystem quota on the uid which controls the domain. in this situation, you do NOT want vchkpw to be setuid to the vpopmail user.

a better solution is to make qmail-smtpd use something other than a checkpassword program (which is what "vchkpw" actually is) to verify passwords. this was the reason that i wrote an addition to my combined qmail patch, which teaches qmail-smtpd to use an "auth.cdb" file, with email addresses as keys and encrypted passwords as values, to validate AUTH commands. since i've started using this, i haven't needed "vchkpw" to be setuid, and in fact it's not setuid on my server any more.

one of these days i'll get around to writing an AUTH_CDB patch for djb's virgin qmail-1.03 code, and probably for netqmail-1.05 as well, but for now it's available in my combined patch (which has lots of other yummy features as well.)

----------------------------------------------------------------
| John M. Simpson    ---   KG4ZOW   ---    Programmer At Large |
| http://www.jms1.net/                         <[EMAIL PROTECTED]> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------


Attachment: PGP.sig
Description: This is a digitally signed message part

Reply via email to