Matt Simerson wrote:
>
> Hi Ken (et al),
>
> I've found another place where the multiple UID/GID feature isn't quite
> completely implemented. I've built another mail toaster with
> qmail/vpopmail/qmailadmin and each domain is a unique UID/GID. The main
> difference is that I am using MySQL authentication on this one. I've got the
> server up and running happily but users can't change passwords in
> qmailadmin. Whenever they attempt to they get a "Failed to change password.
> user domain.com newpass -22" error.
>
> A little legwork tracked that back to error 140 in the html files. I tracked
> that back to the function modusergo in qmailadmin/user.c which makes a call
> to vpasswd (which of course is linked against the vpopmail library. So, back
> in the vpopmail/vpopmail.c we find our vpasswd function which calles
> vauth_vpasswd which is in the vmysql.c file. In there, we end the chase and
> find the offending code:
>
> myuid = geteuid();
> if ( myuid != VPOPMAILUID && myuid != 0 ) {
> return(VA_BAD_UID);
> }
>
> Note of course that this does work just fine from the command line because
> the commands are being run as root. However, when run from qmailadmin via
> HTTPS we call qmailadmin (which is suid root.vchkpw) which ends up running
> as the UID/GID of the domains owner. In this case, test.com is owned by user
> test so qmailadmin is then running as test. We can confirm this by adding
> the line: printf("my effective uid is: %d\n", myuid); to the C code and
> recompiling. Sure enough, it adds a line to the HTML page reflecting the uid
> of test. The end result is that anytime a user tries to change their
> password, they get the error message I indicated earlier.
>
> If I simply comment out the if statement, everything works just fine but I'm
> wondering if that's a good idea or not. Is there some error and
> authentication checking in there somewhere so that [EMAIL PROTECTED] can't
> forge a HTTP request for [EMAIL PROTECTED] and change his password?
>
> Matt
Ahh! I think we can fix that by using the
tmpstr = vget_assign(domain, Dir, 156, &uid, &gid );
call for each domain, then checking against the uid/gid.
I'll do a code review of 4.10.3 for all uid checks.
Ken Jones
