On Wed, May 12, 2004 at 10:44:40PM +0200, Paul J Stevens wrote:
> AFAIK setresuid/setresgid are gnu extensions that are also available on
> freebsd and hp-ux. Providing this on debian is of course no immediate
> problem, even though we'd have to #define _GNU_SOURCE; For upstream,
> however: a no
Just a little nitpicking, but "privileges" does not have a "d" in it...
Looks like a good patch to solve this problem, just so long as it will be
cross platform friendly!
Aaron
Paul J Stevens <[EMAIL PROTECTED]> said:
>
> Dan,
>
> On debian/sarge I get:
>
> gcc -DHAVE_CONFIG_H -I. -I. -I.
Dan,
On debian/sarge I get:
gcc -DHAVE_CONFIG_H -I. -I. -I.-fomit-frame-pointer -Wall -O1 -g -W
-Wall -Wpointer-arith -Wstrict-prototypes -c server.c
server.c: In function `DropPrivledges':
server.c:164: warning: implicit declaration of function `setresuid'
server.c:165: warning: implicit
Package: dbmail
Severity: grave
Tags: security experimental sid
Justification: user security hole
The parent process of dbmail is not dropping privledges and induces a
serious security hole since the user is root.
-- Dan Weber
-- System Information:
Debian Release: testing/unstable
APT pref
Here is a newer patch to work with. It doesn't work but thats my
fault. It has the general layout of how things need to be tho. As
soon as you create a socket, permissions must be dropped. I suggest
making a DropPrivleges function to do it for each pop3, imap, and
lmtp.
-- Dan Weber
#! /bin/s
After all my different ways of patching it ugly and not. Here is my
final patch. This one seems most cleanly and seems just what was
needed. I added a function DropPrivledges to server.c which is called
from CreateSocket. So this forces the program, as soon as the socket
is created it drops per
tag 248534 patch
thanks
Here is the patch I wrote for your dbmail-2.0 experimental branch. It
can be easily adapted to dbmail-1.2. I reccomend having this loaded
after your prefork patch.
-- Dan Weber
#! /bin/sh -e
## 07_drop_privledges.dpatch by <[EMAIL PROTECTED]>
##
## All lines beginning w
Done! Also removed newlines from the ends of trace calls; trace inserts them.
Aaron
Thomas Mueller <[EMAIL PROTECTED]> said:
>
Hi,
>
> could someone please apply the attached patch? It removes the ^M from
> trace line ends in syslog. Thanks!
>
>
> Thomas
> --
> http://www.tmueller.com for
