Am 15.04.11 16:14, schrieb Matt Brookings:
Hash: SHA1

On 04/15/2011 09:07 AM, Johannes Weberhofer wrote:
Dear all,

I'm currently doing some packaging work for vpopmail, and have reviewed
the file properties. I have seen, that all files (except vusaged in 5.5)
have the properties set to "-rwx--x--x 1 vpopmail vchkpw". Shouldn't
that be more restrictive? E.g. set to 0750 or even owned by root? In an
older package of mine (it was 5.4.25) I have set it to 0750 root.root,
which did never cause any problems.

You may set the permissions how you like, but there's really nothing
secret contained within the vusaged binary in 5.5.  The permissions
you're referring to, which have been kept from 5.4 just because there's
no reason to change them, were there because the binaries statically
linked authentication mechanisms that sometimes had hard-coded
authentication values in them.

5.5 binaries do not statically link against the authentication backend.

In this case, you would be concerned about permissions on the shared
objects used for authentication.

Tools like vadddomain fails when called by a regular user (Error: Can not make 
domains directory). I haven't checked for the other tools, but I think no user 
except root can use those. So it could be good to change permissions to 0750 
root.root. It's a kind of security improvement, too.

You don't see any issues on moving the binaries to /usr/sbin, so you?

Regarding the FHS, I think those binaries should be moved to /usr/sbin.
What do you think?

Regarding the documentation I'd recommend to change the examples to
install vpopmail into /var/lib/vpopmail, following the FHS 2.3 section 5.1.

What examples are you referring to?

I had a look on doc/INSTALL.

- --
     Matt Brookings<>        GnuPG Key FAE0672C
     Software developer                     Systems technician
     Inter7 Internet Technologies, Inc.     (815)776-9465
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


Johannes Weberhofer
Weberhofer GmbH, Austria, Vienna


Reply via email to