2009/4/2 John Simpson <j...@jms1.net>

> i hope these aren't the settings you're actually using on a real server
> anywhere.

Yes they are on a live server serving > 3 million users. But these programs
have extra authentication/checks before they actually do the setuid(). In
fact that is the first thing done after main(). These programs exit if they
are not running under appropriate environment. and they are not the original
vpopmail programs.
Some of these require (vadddomain, vdeldomain) require root to update the
qmail assign file. The root password for the servers running these programs
are not with the administrators.
I have given a wrong example. The 4555 should be read as 555 instead.

> if so, ANY user on the system, including the apache anonymous user, can
> wipe out every mailbox on the system, with one command.

Agree and hence the first thing after main(), these programs ask for extra
userid/password (which is given to the mail administrators who do not have
the root passwords of the host).

> you DO NOT want these to be setuid root. in fact, you don't want ANY of the
> binaries to be setuid root, except possibly for vpopmaild, and that only if
> you want to allow it to create and remove domains- otherwise it can run as
> the vpopmail user with no ill effects.
I have not explored that. Example could be making qmail-newu to be setuid
root and making the assign file writeable by vpopmail. But getting the root
password or doing ssh root is out of question in my production environment.


Reply via email to