Re: pop3d needs SUID root?
Quoting Aaron L. Meehan ([EMAIL PROTECTED]): > Quoting Todd A. Jacobs ([EMAIL PROTECTED]): > > When running pop3d, I get an error saying "no $HOME/Maildir" which may be > > caused by the directory permissions of 0700 on both the home directory and > > Maildir. > > qmail-pop3d is run as root by tcpserver, which is running as root. No > suid bit is needed. qmail-pop3d switches to the userid of the user > whose mail it is retrieving. Which is, oops, a bit off. Mark Delaney said it: the checkpassword changes uid. my bad, Aaron
Re: pop3d needs SUID root?
On Fri, Mar 09, 2001 at 03:33:17PM -0800, Aaron L. Meehan wrote: > Quoting Todd A. Jacobs ([EMAIL PROTECTED]): > > When running pop3d, I get an error saying "no $HOME/Maildir" which may be > > caused by the directory permissions of 0700 on both the home directory and > > Maildir. > > qmail-pop3d is run as root by tcpserver, which is running as root. No > suid bit is needed. qmail-pop3d switches to the userid of the user > whose mail it is retrieving. Nope. checkpassword does the switch, qmail-pop3d runs as whatever user it inherits. > So, you'll need to start believing that message--qmail-pop3d can't > find the user's Maildir. Wise words indeed. > Your tcpserver's command line may be goofed up. Should look > something like: Also check: 1. Does the user have a $HOME/Maildir 2. Does the user have access to this dir (could be owned by root) Regards.
Re: pop3d needs SUID root?
On Fri, Mar 09, 2001 at 11:26:58PM +, Ricardo Cerqueira wrote: > On Fri, Mar 09, 2001 at 03:06:08PM -0800, Todd A. Jacobs wrote: > > When running pop3d, I get an error saying "no $HOME/Maildir" which may be > > caused by the directory permissions of 0700 on both the home directory and > > Maildir. > > > > On Red Hat, procmail is the MDA, and is SUID/SGID root. Other than making > > pop3d run as root, what are my options? If I chmod the directories, what's > > qmail-pop3d IS supposed to run as root. From LWQ: Nope. > tcpserver -v -R 0 pop3 /var/qmail/bin/qmail-popup FQDN \ > /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir 2>&1 | \ > /var/qmail/bin/splogger pop3d & tcpserver runs as root, qmail-popup inherits root, checkpassword inherits root but changes to the uid/gid of the user that successfully logged in, pop3d inherits the uid/gid that checkpassword changed to. Getting back to the very confusing question. What has procmail setuidness got to do with pop3d? On the permissions front you forgot to mention the owner of $HOME/Maildir. Is it owned by the user? It should be. Finally, if you have procmail delivering to the users $HOME/Maildir then it does not need to be setuid root. Regards.
Re: pop3d needs SUID root?
Quoting Todd A. Jacobs ([EMAIL PROTECTED]): > When running pop3d, I get an error saying "no $HOME/Maildir" which may be > caused by the directory permissions of 0700 on both the home directory and > Maildir. qmail-pop3d is run as root by tcpserver, which is running as root. No suid bit is needed. qmail-pop3d switches to the userid of the user whose mail it is retrieving. So, you'll need to start believing that message--qmail-pop3d can't find the user's Maildir. In the source of qmail-pop3d we see: void die_nomaildir() { err("this user has no $HOME/Maildir"); die(); } ... if (!argv[1]) die_nomaildir(); if (chdir(argv[1]) == -1) die_nomaildir(); So, it dies with that same error if it doesn't get its first argument, the name of the Maildir, or if it can't change to that Maildir. Your tcpserver's command line may be goofed up. Should look something like: exec tcpserver -c60 -R -H mail.coinet.com pop-3 qmail-popup mail.coinet.com \ checkpassword qmail-popbull /home/p/popbull/popbull qmail-pop3d Maildir Aaron
Re: pop3d needs SUID root?
On Fri, Mar 09, 2001 at 03:06:08PM -0800, Todd A. Jacobs wrote: > When running pop3d, I get an error saying "no $HOME/Maildir" which may be > caused by the directory permissions of 0700 on both the home directory and > Maildir. > > On Red Hat, procmail is the MDA, and is SUID/SGID root. Other than making > pop3d run as root, what are my options? If I chmod the directories, what's qmail-pop3d IS supposed to run as root. From LWQ: tcpserver -v -R 0 pop3 /var/qmail/bin/qmail-popup FQDN \ /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir 2>&1 | \ /var/qmail/bin/splogger pop3d & or... (inetd) pop3 stream tcp nowait root/var/qmail/bin/qmail-popup qmail-popup hostname.domain /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir RC -- +--- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis Telecom - Engenharia ISP / Rede Técnica | Pç. Duque Saldanha, 1, 7º E / 1050-094 Lisboa / Portugal | Tel: +351 2 1010 - Fax: +351 2 1010 4459 PGP signature
Re: pop3d needs SUID root?
On Fri, Mar 09, 2001 at 03:06:08PM -0800, Todd A. Jacobs wrote: > When running pop3d, I get an error saying "no $HOME/Maildir" which may be > caused by the directory permissions of 0700 on both the home directory and > Maildir. > > On Red Hat, procmail is the MDA, and is SUID/SGID root. Other than making > pop3d run as root, what are my options? If I chmod the directories, what's > the least privelege that will allow pop3d to run, without allowing users > to clobber or access each other's Maildir files? qmail-pop3d doesn't need to run SUID anything, but qmail-popup and checkpassword run as root and then checkpassword execs qmail-pop3d as the user once the user is known. checkpassword has to run as root, so that it can check passwords and also so that it can exec qmail-pop3d as a different user. When qmail-pop3d is run by checkpassword, it runs as the user who owns the Maildir, so the 0700 permissions aren't a problem for it. Chris PGP signature
pop3d needs SUID root?
When running pop3d, I get an error saying "no $HOME/Maildir" which may be caused by the directory permissions of 0700 on both the home directory and Maildir. On Red Hat, procmail is the MDA, and is SUID/SGID root. Other than making pop3d run as root, what are my options? If I chmod the directories, what's the least privelege that will allow pop3d to run, without allowing users to clobber or access each other's Maildir files? -- Todd A. Jacobs CodeGnome Consulting, LTD