Hi,
I downloaded courier-0.37.2. Before building, I was reading over
the configure scripts, when I noticed that in the courier/configure script,
there is a check that the courier group is different from the maildrop
group or else it emits this warning:
ERROR: The maildrop and courier group id are the same: $gid
ERROR: This is a security hole, they must be different!
Use --enable-maildrop-gid, or --with-mailgroup, to set a
different maildrop or courier group id.
(Can someone please explain what the security bug is? Thanks!) However,
grepping the sources doesn't seem to indicate that maildrop_gid or
MAILDROPGID are used anywhere in the Courier sources, and maildrop/uidgid
is only called from courier/perms.sh. However, courier/perms.sh actually
ignores the value of the maildrop gid, and instead sets the permissions on
the maildrop executable to be root:${mailgroup}, which means it has the
same group permissions as all of the other courier executables.
I'm not saying this is an actual security bug. I'm only asking if
this is an inconsistency that I'm misreading or misunderstanding.
Thanks,
-- Johnny Lam <[EMAIL PROTECTED]>
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
