On Mon, 7 Feb 2000 [EMAIL PROTECTED] wrote:
> I'm trying to run a program for each email sent to a certain address. So I
> have a .qmail file in the correct directory, which looks something like
> this:
>
> |/var/qmail/bin/preline /usr/local/junk/test
>
> The app (/usr/local/junk/test) is very security conscious. It checks itself
> for permissions, which must be 770 else it complains and doesn't run.
770 is not VERY security conscious :)
>
> Lets also say that the app has another requirement of owner/group =
> test/testgrp. I've placed all the qmail users in the group testgrp
> (qmaild,qmaill,qmailp,qmailq,qmailr,qmails), so the 770 access should be
> enough for qmail to run the app. I've tested this by giving qmailq a shell
> and logging in to verify the user has permissions to run the app.
Bad ideas. By the time a .qmail file is accessed, the effective uid
and gid have been changed to the user for whom the mail message was
intended (see the qmail pictures). So making the qmail users (qmaild
etc) members of group testgrp is not going to help. Also giving qmailq
a shell is a potential security nightmare - change it back now!
>
> qmail still complains about not being able to access the file.
The user for whom the mail is destined needs to be in the group
testgrp to execute the file. It sounds like this is not the case in
your current environment.
>
> If I change the permissions on the test app to 777, then qmail has no
> problem, but the security-anal app refuses to run in such a configuration.
Of course. See above. Also see the qmail pictures again - especially
the local delivery diagrams.
>
> Has anyone run into such a problem? Does qmail honor group permissions?
Regards
Peter
----------
Peter Samuel [EMAIL PROTECTED]
Technical Consultant or at present:
eServ. Pty Ltd [EMAIL PROTECTED]
Phone: +61 2 9206 3410 Fax: +61 2 9281 1301
"If you kill all your unhappy customers, you'll only have happy ones left"
