On Wed, 20 Sep 2000, andy wrote:
> Just one question for y'all.
>
> As per the "humorous" thread, none of you are obliged to answer, and if I in any way
>come off as and asshole or idiot feel free to harass me. ( Oh shit! that wasn't an
>asshole thing to say was it? )
>
> Is qmail-popup\qmail-pop3d supposed to run as root?
>
> Thanks in advance,
>
> -Andy
>
Simple answer, yes.
Long explanation. qmail-popup reads the username and password from the
socket and passes them to the next program (usually checkpassword by djb
or another program based on it). checkpassword verifies the username and
password and changes the gid and uid and priveledges to become the user
just verified. It then runs qmail-pop3d as that user.
The fact that checkpassword switches to the identity of the verified user
is what requires qmail-popup to be run as root. It is also what provides
protection from any exploits in qmail-pop3d (none have been found to date
and based on Dan's and Russ' coding, I doubt that any will be found).
qmail-pop3d runs as the user who owns the mailbox being accessed and
therefore can only access files and directories available to that user.
---------------------------------
Timothy L. Mayo mailto:[EMAIL PROTECTED]
Senior Systems Administrator
localconnect(sm)
http://www.localconnect.net/
The National Business Network Inc. http://www.nb.net/
One Monroeville Center, Suite 850
Monroeville, PA 15146
(412) 810-8888 Phone
(412) 810-8886 Fax
