Re: users bypassing shaper limitation
If the nodes in question are plugged into a switch with managment capabilities then you could set the security of the port to only allow legal mac/ip address's. It depends on the switch. You could go to the person and whack them on the head. Which might be the easiest. Chris At 06:12 PM 6/29/2001, anon wrote: hello all, this is my first post. my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? thanks in advance
Re: users bypassing shaper limitation
On Fri, 29 Jun 2001, anon wrote: > my problem is that some local users are changing their own local ip numbers > (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper > bandwidth limitation. (that was set on 192.168.1.40) > > anyone know how can i prevent this ? This first that pops into mind is use DHCP and give a IP-lease to the machines in your local network based on the NIC's Mac address. I guess the only way out for the "bad guys" is to swap the NICs from another machine to get the same effect as changing the IPs now. Regards, Maurice Verhagen
MTA - MLM - DNS configuration question
I've been asked to set up a MLM along side a web server and I wanted to ask a quick question to the experienced, before I put a lot of time into setting this up. My situation: I'm responsible for an web server that has sendmail installed and is configured to send email via Perl and PHP scripts, but doesn't receive any. Recently my supervisor has asked me to set up mailing list capabilities on the web server, because the IS department doesn't have the capacity to do so at present and they want tight integration between the mailing lists and the web server (web based subscribe/unsubscibe pages for lists and archives). Based upon various threads that I've followed on this list and other research, I've decided to switch from sendmail to postfix and to use the GNU Mailman MLM (I'm open to other suggestions...) My question is this: The DNS is under the jurisdiction of the IS department and the MX record @mydomain.org is set up to point at their email server. Does it make sense and is it possible to set up another MX record: @lists.mydomain.org which will point at the web server? I realize that it is generally a bad idea to set up your web server to do double duty as an email server. Any ideas regarding at what message volume a mail server will have a serious negative impact on a web server running on the same machine would be appreciated. Thanks in advance eirik
Re: users bypassing shaper limitation
If the nodes in question are plugged into a switch with managment capabilities then you could set the security of the port to only allow legal mac/ip address's. It depends on the switch. You could go to the person and whack them on the head. Which might be the easiest. Chris At 06:12 PM 6/29/2001, anon wrote: >hello all, this is my first post. > >my problem is that some local users are changing their own local ip numbers >(like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper >bandwidth limitation. (that was set on 192.168.1.40) > >anyone know how can i prevent this ? >thanks in advance -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
On Fri, 29 Jun 2001, anon wrote: > my problem is that some local users are changing their own local ip numbers > (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper > bandwidth limitation. (that was set on 192.168.1.40) > > anyone know how can i prevent this ? This first that pops into mind is use DHCP and give a IP-lease to the machines in your local network based on the NIC's Mac address. I guess the only way out for the "bad guys" is to swap the NICs from another machine to get the same effect as changing the IPs now. Regards, Maurice Verhagen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
local users bypassing traffic shaper
hello all, this is my first post. my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? thanks in advance
users bypassing shaper limitation
hello all, this is my first post. my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? thanks in advance
MTA - MLM - DNS configuration question
I've been asked to set up a MLM along side a web server and I wanted to ask a quick question to the experienced, before I put a lot of time into setting this up. My situation: I'm responsible for an web server that has sendmail installed and is configured to send email via Perl and PHP scripts, but doesn't receive any. Recently my supervisor has asked me to set up mailing list capabilities on the web server, because the IS department doesn't have the capacity to do so at present and they want tight integration between the mailing lists and the web server (web based subscribe/unsubscibe pages for lists and archives). Based upon various threads that I've followed on this list and other research, I've decided to switch from sendmail to postfix and to use the GNU Mailman MLM (I'm open to other suggestions...) My question is this: The DNS is under the jurisdiction of the IS department and the MX record @mydomain.org is set up to point at their email server. Does it make sense and is it possible to set up another MX record: @lists.mydomain.org which will point at the web server? I realize that it is generally a bad idea to set up your web server to do double duty as an email server. Any ideas regarding at what message volume a mail server will have a serious negative impact on a web server running on the same machine would be appreciated. Thanks in advance eirik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
local users bypassing traffic shaper
hello all, this is my first post. my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? thanks in advance -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
users bypassing shaper limitation
hello all, this is my first post. my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? thanks in advance -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apache - SIGSEGV but no core dumps.
Przemyslaw Wegrzyn wrote: Hello ! I have noticed the following lines in Apache's error.log: [Fri Jun 29 17:35:41 2001] [notice] child pid 18786 exit signal Segmentation fault (11) [Fri Jun 29 17:35:54 2001] [notice] child pid 20229 exit signal Segmentation fault (11) I've experienced the same problem some weeks ago. My problem was libraries!!! I installed Debian 2.2 r0 and everything was really fine (as expected :), until my partner installed something directelly from the Debian repository (> r0) . Then every time we access the server using M$ IE ver. 5.0 some of the connections died and the error log was exactly the same tou describe! I solved the problem doing an "apt-get dist-upgrade" to 2.2 r2!! If you have done the same as us then this is your solution, else... ?? ;) I've strace'd Apache - the child processes dies after finishing handling request and writing line to access log , so it isn't critical, but... I use Apache 1.3.19 + php4.0.5 from Woody in chrooted enviroment. My problem is actually I can't force Apache to drop core files. I've added ulimit -c unlimited to /etc/init.d/apache, and set CoreDumpDirectory to some world writeable dir. Nope - I can't get any core to do backtrace on it. Why ? -=Czaj-nick=- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Pedro Braga Eng. Telec./Programador http://www.iportalmais.pt
Re: Perl DBD driver vor Sybase/MS SQL Server?
> PHP4 has recently got a php4-sybase module, so is ther a chance > a perl counterpart dbd-sybase package in sid/woody? > This driver would also enable access to MS SQL Servers, I guess. > The answer to the question "Can I access my M$ server with Perl?" > could be turned from plain "no" to a "Should work, but you have to try > it with your version of sqlserver." for debian. It's actually a "no, but...": http://www.open.com.au/radiator/faq.html#13 I picked the forth of the five listed options for a project. It worked fine. I could supply you with details, if you take that route. -- Adresse: Gerrit Griebel, Koppel 6, 20099 Hamburg Telefon: +49-40-28054663, E-Mail: [EMAIL PROTECTED]
Re: Apache - SIGSEGV but no core dumps.
Przemyslaw Wegrzyn wrote: Hello ! I have noticed the following lines in Apache's error.log: [Fri Jun 29 17:35:41 2001] [notice] child pid 18786 exit signal Segmentation fault (11) [Fri Jun 29 17:35:54 2001] [notice] child pid 20229 exit signal Segmentation fault (11) I've experienced the same problem some weeks ago. My problem was libraries!!! I installed Debian 2.2 r0 and everything was really fine (as expected :), until my partner installed something directelly from the Debian repository (> r0) . Then every time we access the server using M$ IE ver. 5.0 some of the connections died and the error log was exactly the same tou describe! I solved the problem doing an "apt-get dist-upgrade" to 2.2 r2!! If you have done the same as us then this is your solution, else... ?? ;) I've strace'd Apache - the child processes dies after finishing handling request and writing line to access log , so it isn't critical, but... I use Apache 1.3.19 + php4.0.5 from Woody in chrooted enviroment. My problem is actually I can't force Apache to drop core files. I've added ulimit -c unlimited to /etc/init.d/apache, and set CoreDumpDirectory to some world writeable dir. Nope - I can't get any core to do backtrace on it. Why ? -=Czaj-nick=- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Pedro Braga Eng. Telec./Programador http://www.iportalmais.pt
Re: Perl DBD driver vor Sybase/MS SQL Server?
> PHP4 has recently got a php4-sybase module, so is ther a chance > a perl counterpart dbd-sybase package in sid/woody? > This driver would also enable access to MS SQL Servers, I guess. > The answer to the question "Can I access my M$ server with Perl?" > could be turned from plain "no" to a "Should work, but you have to try > it with your version of sqlserver." for debian. It's actually a "no, but...": http://www.open.com.au/radiator/faq.html#13 I picked the forth of the five listed options for a project. It worked fine. I could supply you with details, if you take that route. -- Adresse: Gerrit Griebel, Koppel 6, 20099 Hamburg Telefon: +49-40-28054663, E-Mail: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re[2]: postfix + sasl + pam
Hey Haim, Friday, June 29, 2001, 1:13:42 PM, you wrote: HD> Kevin, HD> AFAIK, you can use PAM directly from Postfix without having to go through HD> SASL. The book fro R. Blum fails to mention it. HD> Haim. Umm . . . how? And still, that doesn't fix this odd behaviour :-/ Btw, I don't have the Blum book, after the not-so-good reviews it got from people on the postfix-users list. -- Kevin
Re: postfix + sasl + pam
Kevin, AFAIK, you can use PAM directly from Postfix without having to go through SASL. The book fro R. Blum fails to mention it. Haim. "Kevin J. Menard, Jr." wrote: > > Hey guys, > > Anyone here have all this working together? I apt-get'ed the source for > postfix and altered the debian/rules file to add SASL support for SMTP > auth. > The build went fine, but it apparently always tries to use the sasldb, > even > though I set up my /usr/lib/sasl/smtpd.conf file to use PAM as the > pwcheck_method. Anyone know what gives? > > Thanks.
postfix + sasl + pam
Hey guys, Anyone here have all this working together? I apt-get'ed the source for postfix and altered the debian/rules file to add SASL support for SMTP auth. The build went fine, but it apparently always tries to use the sasldb, even though I set up my /usr/lib/sasl/smtpd.conf file to use PAM as the pwcheck_method. Anyone know what gives? Thanks. -- Kevin
Apache - SIGSEGV but no core dumps.
Hello ! I have noticed the following lines in Apache's error.log: [Fri Jun 29 17:35:41 2001] [notice] child pid 18786 exit signal Segmentation fault (11) [Fri Jun 29 17:35:54 2001] [notice] child pid 20229 exit signal Segmentation fault (11) I've strace'd Apache - the child processes dies after finishing handling request and writing line to access log , so it isn't critical, but... I use Apache 1.3.19 + php4.0.5 from Woody in chrooted enviroment. My problem is actually I can't force Apache to drop core files. I've added ulimit -c unlimited to /etc/init.d/apache, and set CoreDumpDirectory to some world writeable dir. Nope - I can't get any core to do backtrace on it. Why ? -=Czaj-nick=-
Re: smbclient question.
> smbclient //server/share -U user%password -c "cd location\of\data;mget *" > > Then is says : > > Get file file1.txt? > > and this will then stop it from working in a script that is a cronjob. Any > ideas on how I can get > it to just get the files and not ask anything? > From man smbclient: prompt Toggle prompting for filenames during operation of the mget and mput commands. When toggled ON, the user will be prompted to con firm the transfer of each file during these com mands. When toggled OFF, all specified files will be transferred without prompting. Isn't it what you're looking for ? -=Czaj-nick=-
Re: smbclient question.
Marcin, I just tested that out and you are right. There is a prompt in smbclient! Cool. Greg On Fri, 29 Jun 2001, Marcin Owsiany wrote: > On Fri, Jun 29, 2001 at 04:01:53PM +0100, Friedrich wrote: > > > > smbclient //server/share -U user%password -c "cd location\of\data;mget *" > > > > Then is says : > > > > Get file file1.txt? > > > > and this will then stop it from working in a script that is a cronjob. Any > > ideas on how I can get > > it to just get the files and not ask anything? > > I don't know about smbclient, but FTP has a 'prompt' command > to solve this problem. Maybe try 'prompt n' before that? > > Marcin > -- Greg Rowe Paranoia is a virtue. http://www.therowes.net
Re: smbclient question.
On Fri, Jun 29, 2001 at 04:01:53PM +0100, Friedrich wrote: > > smbclient //server/share -U user%password -c "cd location\of\data;mget *" > > Then is says : > > Get file file1.txt? > > and this will then stop it from working in a script that is a cronjob. Any > ideas on how I can get > it to just get the files and not ask anything? I don't know about smbclient, but FTP has a 'prompt' command to solve this problem. Maybe try 'prompt n' before that? Marcin -- - Marcin Owsiany [EMAIL PROTECTED] -
Re: smbclient question.
You could use smbmount //smb_name/share mountpoint -o username=<>, password=<> ... Of course if you don't have root access or smbmount isn't suid then this method won't work. Greg On Fri, 29 Jun 2001, Friedrich wrote: > Hi, > > I wish to use smbclient to backup some windows shares onto a Linux box. Now > this will be run in a > script so I sould like to have it not prompt for anything. So far I can get > it to retrieve a single > file without prompting with this command : > > smbclient //server/share -U user%password -c "cd location\of\data;get > file1.txt" > > but if I use : > > smbclient //server/share -U user%password -c "cd location\of\data;mget *" > > Then is says : > > Get file file1.txt? > > and this will then stop it from working in a script that is a cronjob. Any > ideas on how I can get > it to just get the files and not ask anything? > > Thanks, Friedrich. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Greg Rowe Paranoia is a virtue. http://www.therowes.net
smbclient question.
Hi, I wish to use smbclient to backup some windows shares onto a Linux box. Now this will be run in a script so I sould like to have it not prompt for anything. So far I can get it to retrieve a single file without prompting with this command : smbclient //server/share -U user%password -c "cd location\of\data;get file1.txt" but if I use : smbclient //server/share -U user%password -c "cd location\of\data;mget *" Then is says : Get file file1.txt? and this will then stop it from working in a script that is a cronjob. Any ideas on how I can get it to just get the files and not ask anything? Thanks, Friedrich.
Re[2]: postfix + sasl + pam
Hey Haim, Friday, June 29, 2001, 1:13:42 PM, you wrote: HD> Kevin, HD> AFAIK, you can use PAM directly from Postfix without having to go through HD> SASL. The book fro R. Blum fails to mention it. HD> Haim. Umm . . . how? And still, that doesn't fix this odd behaviour :-/ Btw, I don't have the Blum book, after the not-so-good reviews it got from people on the postfix-users list. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: postfix + sasl + pam
Kevin, AFAIK, you can use PAM directly from Postfix without having to go through SASL. The book fro R. Blum fails to mention it. Haim. "Kevin J. Menard, Jr." wrote: > > Hey guys, > > Anyone here have all this working together? I apt-get'ed the source for > postfix and altered the debian/rules file to add SASL support for SMTP auth. > The build went fine, but it apparently always tries to use the sasldb, even > though I set up my /usr/lib/sasl/smtpd.conf file to use PAM as the > pwcheck_method. Anyone know what gives? > > Thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
postfix + sasl + pam
Hey guys, Anyone here have all this working together? I apt-get'ed the source for postfix and altered the debian/rules file to add SASL support for SMTP auth. The build went fine, but it apparently always tries to use the sasldb, even though I set up my /usr/lib/sasl/smtpd.conf file to use PAM as the pwcheck_method. Anyone know what gives? Thanks. -- Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Apache - SIGSEGV but no core dumps.
Hello ! I have noticed the following lines in Apache's error.log: [Fri Jun 29 17:35:41 2001] [notice] child pid 18786 exit signal Segmentation fault (11) [Fri Jun 29 17:35:54 2001] [notice] child pid 20229 exit signal Segmentation fault (11) I've strace'd Apache - the child processes dies after finishing handling request and writing line to access log , so it isn't critical, but... I use Apache 1.3.19 + php4.0.5 from Woody in chrooted enviroment. My problem is actually I can't force Apache to drop core files. I've added ulimit -c unlimited to /etc/init.d/apache, and set CoreDumpDirectory to some world writeable dir. Nope - I can't get any core to do backtrace on it. Why ? -=Czaj-nick=- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: smbclient question.
> smbclient //server/share -U user%password -c "cd location\of\data;mget *" > > Then is says : > > Get file file1.txt? > > and this will then stop it from working in a script that is a cronjob. Any ideas on >how I can get > it to just get the files and not ask anything? > From man smbclient: prompt Toggle prompting for filenames during operation of the mget and mput commands. When toggled ON, the user will be prompted to con firm the transfer of each file during these com mands. When toggled OFF, all specified files will be transferred without prompting. Isn't it what you're looking for ? -=Czaj-nick=- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: smbclient question.
Marcin, I just tested that out and you are right. There is a prompt in smbclient! Cool. Greg On Fri, 29 Jun 2001, Marcin Owsiany wrote: > On Fri, Jun 29, 2001 at 04:01:53PM +0100, Friedrich wrote: > > > > smbclient //server/share -U user%password -c "cd location\of\data;mget *" > > > > Then is says : > > > > Get file file1.txt? > > > > and this will then stop it from working in a script that is a cronjob. Any ideas >on how I can get > > it to just get the files and not ask anything? > > I don't know about smbclient, but FTP has a 'prompt' command > to solve this problem. Maybe try 'prompt n' before that? > > Marcin > -- Greg Rowe Paranoia is a virtue. http://www.therowes.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: smbclient question.
On Fri, Jun 29, 2001 at 04:01:53PM +0100, Friedrich wrote: > > smbclient //server/share -U user%password -c "cd location\of\data;mget *" > > Then is says : > > Get file file1.txt? > > and this will then stop it from working in a script that is a cronjob. Any ideas on >how I can get > it to just get the files and not ask anything? I don't know about smbclient, but FTP has a 'prompt' command to solve this problem. Maybe try 'prompt n' before that? Marcin -- - Marcin Owsiany [EMAIL PROTECTED] - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: smbclient question.
You could use smbmount //smb_name/share mountpoint -o username=<>, password=<> ... Of course if you don't have root access or smbmount isn't suid then this method won't work. Greg On Fri, 29 Jun 2001, Friedrich wrote: > Hi, > > I wish to use smbclient to backup some windows shares onto a Linux box. Now this >will be run in a > script so I sould like to have it not prompt for anything. So far I can get it to >retrieve a single > file without prompting with this command : > > smbclient //server/share -U user%password -c "cd location\of\data;get file1.txt" > > but if I use : > > smbclient //server/share -U user%password -c "cd location\of\data;mget *" > > Then is says : > > Get file file1.txt? > > and this will then stop it from working in a script that is a cronjob. Any ideas on >how I can get > it to just get the files and not ask anything? > > Thanks, Friedrich. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Greg Rowe Paranoia is a virtue. http://www.therowes.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
smbclient question.
Hi, I wish to use smbclient to backup some windows shares onto a Linux box. Now this will be run in a script so I sould like to have it not prompt for anything. So far I can get it to retrieve a single file without prompting with this command : smbclient //server/share -U user%password -c "cd location\of\data;get file1.txt" but if I use : smbclient //server/share -U user%password -c "cd location\of\data;mget *" Then is says : Get file file1.txt? and this will then stop it from working in a script that is a cronjob. Any ideas on how I can get it to just get the files and not ask anything? Thanks, Friedrich. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: non-root postfix admin; sudo -vs- super
NB> I see that by default the files in /etc/postfix are owner: group NB> root:root. This obviously doesn't lend itself to the contents thereof NB> being admin'ed by admins who don't otherwise enjoy the total freedom of NB> the system (nor is it best for those of us who like to spend as little NB> time as is necessary as root). NB> There would seem to be (at least) three solutions: NB> * different owner:group and mode NB> * use sudo -or- super to allow postfix admins to do what is necessary. NB> What do people see as the relative merits of these? NB> What are the differences between sudo and super in these kind of NB> circumstances? NB> Any alternate solutions? I want to warn you that if you give someone ability to change postfix configs you can open huge security hole. For example if someone can edit /etc/postfix/master.cf he/she effectively has root because he/she can setup pseudo transport which will launch any script under any uid. And there are exist other dangerous places in postfix configs. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Ilya Martynov (http://martynov.org/)| | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | | AGAVA Software Company (http://www.agava.com/) | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Re: non-root postfix admin; sudo -vs- super
On Fri, Jun 29, 2001 at 05:07:46PM +1000, Neale Banks wrote: > * use sudo -or- super to allow postfix admins to do what is necessary. > > What do people see as the relative merits of these? > > What are the differences between sudo and super in these kind of > circumstances? i use sudo. it's easy to understand and easy to configure. it works well enough that i've never had any need to examine super closely. try both, see which one you like most. i write little wrapper scripts like the following: ---cut here---/usr/local/sbin/editradius---cut here--- #! /bin/bash # this one is run by any user in group admin cd /etc/radius co -l radius.users sensible-editor radius.users sudo /usr/local/sbin/makeradius ci -u radius.users ---cut here--- ---cut here---/usr/local/sbin/makeradius---cut here--- #! /bin/bash # this one is run with sudo from editradius cd /etc/radius /usr/bin/make -f ./Makefile ---cut here--- the 660 permissions on the /etc/radius/radius.users file allow the admin group to edit it and check it in to RCS. the Makefile in /etc/radius then generates the real cistron users file and runs /etc/init.d/radiusd reload (and does some other stuff like rsyncing various files to other machines as a Q&D backup) /etc/sudoers is configured to allow admin staff to run /usr/local/sbin/makeradius as root. the point of doing it this way is to give the absolute minimum priviledges required to do the job. it would have been much easier to just make the editradius script sudo-able, but that would have affected the user-id that the changes were attributed to by RCS. even worse, it would have given them an editor such as vi running as root (may as well give them root). btw, in any script that runs as root it's important to specify the full paths to binaries (alternatively, explicitly set the PATH to a known safe value) so that the users can't play evil tricks with the PATH. this isn't specific to the postfix question you asked, but these principles can be applied to any setuid root tasks. never let a user run an editor as root. if you can't change the perms on the file then write a wrapper script to lock the file and copy it, and another wrapper to copy it back and unlock it. configure sudo to allow those wrapper scripts to be run as root. craig -- craig sanders <[EMAIL PROTECTED]> Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch
Re: Postfix and domain
On Fri, Jun 29, 2001 at 11:10:24AM +0200, [EMAIL PROTECTED] wrote: > There is a problem with Postfix: > > [EMAIL PROTECTED] > > the email arrive, > > [EMAIL PROTECTED] > > the email doesn't arrive http://www.postfix.org/basic.html#mydestination You need to put the domain in mydestination. Please look at documentation next time. Note that the above link is called basic.html! -- Jeremy Lunn Melbourne, Australia
Postfix and domain
Hi, There is a problem with Postfix: [EMAIL PROTECTED] the email arrive, [EMAIL PROTECTED] the email doesn't arrive [DNS: MX points the host.domain] Thanks in advance for any comment
Re: Virtual Domains Email: How do you do it?
On Thu, Jun 28, 2001 at 03:24:06PM -0500, Haim Dimermanas wrote: > I need to do email hosting for a large number of domains. My solution > consists in Postfix for the MTA, Cyrus for the LDA and IMP for the MUA. > Emails have to be accessible by POP as well. If you don't mind the fact that it is a commercial product, have a look at Communigate Pro [www.stalker.com]. It will provide you with all of the above. Ciao Charl __ I'm not closed-minded, you're just wrong. __ [ Charl Matthee ] [ +27-11-721-3800 ] [ Reality Manufacturing ] [ +27-11-405-6508 ] __
Re: non-root postfix admin; sudo -vs- super
NB> I see that by default the files in /etc/postfix are owner: group NB> root:root. This obviously doesn't lend itself to the contents thereof NB> being admin'ed by admins who don't otherwise enjoy the total freedom of NB> the system (nor is it best for those of us who like to spend as little NB> time as is necessary as root). NB> There would seem to be (at least) three solutions: NB> * different owner:group and mode NB> * use sudo -or- super to allow postfix admins to do what is necessary. NB> What do people see as the relative merits of these? NB> What are the differences between sudo and super in these kind of NB> circumstances? NB> Any alternate solutions? I want to warn you that if you give someone ability to change postfix configs you can open huge security hole. For example if someone can edit /etc/postfix/master.cf he/she effectively has root because he/she can setup pseudo transport which will launch any script under any uid. And there are exist other dangerous places in postfix configs. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Ilya Martynov (http://martynov.org/)| | GnuPG 1024D/323BDEE6 D7F7 561E 4C1D 8A15 8E80 E4AE BE1A 53EB 323B DEE6 | | AGAVA Software Company (http://www.agava.com/) | -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: non-root postfix admin; sudo -vs- super
On Fri, Jun 29, 2001 at 05:07:46PM +1000, Neale Banks wrote: > * use sudo -or- super to allow postfix admins to do what is necessary. > > What do people see as the relative merits of these? > > What are the differences between sudo and super in these kind of > circumstances? i use sudo. it's easy to understand and easy to configure. it works well enough that i've never had any need to examine super closely. try both, see which one you like most. i write little wrapper scripts like the following: ---cut here---/usr/local/sbin/editradius---cut here--- #! /bin/bash # this one is run by any user in group admin cd /etc/radius co -l radius.users sensible-editor radius.users sudo /usr/local/sbin/makeradius ci -u radius.users ---cut here--- ---cut here---/usr/local/sbin/makeradius---cut here--- #! /bin/bash # this one is run with sudo from editradius cd /etc/radius /usr/bin/make -f ./Makefile ---cut here--- the 660 permissions on the /etc/radius/radius.users file allow the admin group to edit it and check it in to RCS. the Makefile in /etc/radius then generates the real cistron users file and runs /etc/init.d/radiusd reload (and does some other stuff like rsyncing various files to other machines as a Q&D backup) /etc/sudoers is configured to allow admin staff to run /usr/local/sbin/makeradius as root. the point of doing it this way is to give the absolute minimum priviledges required to do the job. it would have been much easier to just make the editradius script sudo-able, but that would have affected the user-id that the changes were attributed to by RCS. even worse, it would have given them an editor such as vi running as root (may as well give them root). btw, in any script that runs as root it's important to specify the full paths to binaries (alternatively, explicitly set the PATH to a known safe value) so that the users can't play evil tricks with the PATH. this isn't specific to the postfix question you asked, but these principles can be applied to any setuid root tasks. never let a user run an editor as root. if you can't change the perms on the file then write a wrapper script to lock the file and copy it, and another wrapper to copy it back and unlock it. configure sudo to allow those wrapper scripts to be run as root. craig -- craig sanders <[EMAIL PROTECTED]> Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Postfix and domain
On Fri, Jun 29, 2001 at 11:10:24AM +0200, [EMAIL PROTECTED] wrote: > There is a problem with Postfix: > > [EMAIL PROTECTED] > > the email arrive, > > user@domain > > the email doesn't arrive http://www.postfix.org/basic.html#mydestination You need to put the domain in mydestination. Please look at documentation next time. Note that the above link is called basic.html! -- Jeremy Lunn Melbourne, Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Postfix and domain
Hi, There is a problem with Postfix: [EMAIL PROTECTED] the email arrive, user@domain the email doesn't arrive [DNS: MX points the host.domain] Thanks in advance for any comment -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
non-root postfix admin; sudo -vs- super
Greetings all, With particular relevance to potato... I see that by default the files in /etc/postfix are owner: group root:root. This obviously doesn't lend itself to the contents thereof being admin'ed by admins who don't otherwise enjoy the total freedom of the system (nor is it best for those of us who like to spend as little time as is necessary as root). There would seem to be (at least) three solutions: * different owner:group and mode * use sudo -or- super to allow postfix admins to do what is necessary. What do people see as the relative merits of these? What are the differences between sudo and super in these kind of circumstances? Any alternate solutions? Thanks, Neale.
Re: Virtual Domains Email: How do you do it?
On Thu, Jun 28, 2001 at 03:24:06PM -0500, Haim Dimermanas wrote: > I need to do email hosting for a large number of domains. My solution > consists in Postfix for the MTA, Cyrus for the LDA and IMP for the MUA. > Emails have to be accessible by POP as well. If you don't mind the fact that it is a commercial product, have a look at Communigate Pro [www.stalker.com]. It will provide you with all of the above. Ciao Charl __ I'm not closed-minded, you're just wrong. __ [ Charl Matthee ] [ +27-11-721-3800 ] [ Reality Manufacturing ] [ +27-11-405-6508 ] __ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
