First my scenario:
I've build a custom script to add a disclaimer via altermime.
Due to the nature of altermime works, it needs to alter the mail message
stored in the /var/qsheff/spool/.../_temp_file_name (passed to the
script via %%mailfile%% var)
I have seen that qmail-qsheff is owned by uid root and gid qmail, and
then setuid .
This kind or permission does not allow my perl script to call altermime,
because the env is not tainted.
So i've had modified the perimission of qmail-qsheff by removing setuid
flag and giving it uid a gid of the right user (in my case vpopmail).
I've also gave the right permission to /var/qsheff/* stuff ( so
altermime could modify in the right way the spool file )
All seems to work, eg: mails gets altermimed and sended correctly to
user, but my question is: Does this kind of setup introduce some level of
security risk ?
Thx in adavance,
Davide
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
