On Jul 8, 2005, at 5:18 PM, Kurt Bigler wrote:
I noticed the following problem in 1.2.3 and it is unchanged in 1.2.8.
In
the case of a user with "Standard (No Forwarding)" selected and "Spam
Detection?" checked, if I modify the user/.qmail file by hand as
follows:
change |/usr/bin/kdelivermail
to |/usr/bin/kdelivermail2
then qmailadmin shows the same state after the change. Any change
besides
adding characters at the end is recognized as not the standard
no-forward
spam-filtering state. But characters added at the end are apparently
ignored in the comparison.
Unfortunately I rather liked (better) how version 1.2.3 displayed a
hand-modified .qmail file in the case where a change other than
additional
characters at the end of the line is made. It displayed the entire
line as
the forward-to text. This at least let me know the state of the file
in a
way that I could recognize from within qmailadmin. On the other hand
I can
see that that was not a great solution either.
Good point. I can tighten up the string matching to be an exact line
match.
So I have the following suggestions.
(1) Tighten up the logic for detecting a match against one of the
standard
qmail-admin states so that trailing characters are not ignored.
(2) When a case is detected that does not match one of the standard
states,
display the .qmail lines under a "Custom" editing mode that permits
editing.
I think it would be OK to show the extra lines, but not to allow
editing. Heck, if the postmaster is logged in, maybe it should just
show the entire .qmail file in gray text below the radio buttons.
Letting a user for a domain edit their .qmail file opens up a huge
security hole -- one we had to fix in the 1.0 series when it was
possible to put anything in the "forward" line.
The problem is that anything I put in my .qmail file runs as user
vpopmail. That means I can craft a program delivery line that emails
the contents of your vpopmail.mysql file to me. Or any vpasswd file.
Or just deletes ~vpopmail/domains/domain.com/someguyihate.
I'm very resistant to adding support in QmailAdmin for editing .qmail
files directly. I understand it could be helpful if it was limited to
postmsaters and all postmasters were trustworthy. I worry about
uninformed sysadmins who might enable such a feature without realizing
the holes it opens.
--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
You don't need a laptop to troubleshoot high-speed Internet:
sniffter.com
