Hi there.
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, January 17, 2001 5:10 AM
Subject: Re: Authentication Cyrus/sasl
> Sendmail and cyrus don't cooperate very well with file access.
I've encountered the following problem in trying to use sendmail w/ SASL and
cyrus' imap w/ SASL at the same time:
Per default both will want readaccess to the /etc/sasldb.
Furthermore sendmail usually will not allow this file to be write or
readable by any other user than the one which it is running as.
This, at first, seems unsolvable, as my sendmail daemon is running as a
privileged user, as opposed to cyrus imap.
But sendmail is kind enough to offer an option which will allow for the
/etc/sasldb to be groupreadable.
So I chmod/own'ed the file to 640/root.cyrus, where the group cyrus is the
default group for user cyrus, with no other users in it.
I supposed this to work, as
# su cyrus
$ cat /etc/sasldb
did work, too.. but it did not. Cyrus imap, even though running as cyrus,
did not have the permission to read the file. chown'ing would have worked
though, but was not an option as it would not have been accepted by
sendmails security checks.
Well, I have changed the source code of `master`, and now it works. But I
don't know whether it will impose any security risks or the general
operability of cyrus imap.
These are my changes to file /usr/src/cyrus-imapd-2.07/master/master.c :
int become_cyrus(void)
{
struct passwd *p;
static int uid = 0;
+ static int gid = 0;
- if (uid) return setuid(uid);
+ if (uid&&gid) return (setgid(gid) || setuid(uid)) ;
p = getpwnam(CYRUS_USER);
if (p == NULL) {
syslog(LOG_ERR, "no entry in /etc/passwd for %s", CYRUS_USER);
return -1;
}
uid = p->pw_uid;
+ gid = p->pw_gid;
- return setuid(uid);
+ return (setgid(gid) | setuid(uid)) ;
}
Any comment on whether this course of action is acceptable is welcome.
Thanks, Robert.
---
The universe is filled with dark letters even though we can't see them. 90%
of all letters are dark.
