On Wed, 3 Dec 2003, Jeffrey Laramie wrote: > Hi Everyone, > > There is an updated version of my "Beginner's Guide" now available here. > > http://www.ubaight.com/xmail/BeginnersGuide.html > > For those of you who haven't seen the draft, The Guide has been completely > re-written and has a number of new sections. If you read the draft then the > only substantial change is the addition of a section on installing the > Ecartis mailing list manager.
Big warning when using Ecartis, expecially coupled with XMail. Ecartis is not the more secure package on earth, this is a know thing. Also, its suid ecartis might let you think that you are safe, but you are indeed not. Since XMail runs it as root, a suid ecartis does not prevent a rootkit to do a setuid(0) and regain root privileges. I use this trivial wrapper called swrap.c: ------------------------------------------------------------------------------ #include <sys/types.h> #include <unistd.h> #include <stdio.h> static void usage(char *prg) { fprintf(stderr, "%s uid gid cmd [param ...]\n", prg); } int main(int ac, char **av, char **env) { if (ac < 4) { usage(av[0]); return 1; } if (setgid(atoi(av[2])) || setuid(atoi(av[1]))) { perror("setgid/setuid"); return 2; } execve(av[3], &av[3], env); perror(av[3]); return 3; } ------------------------------------------------------------------- and I use this as ecartis.sh script (the one run by XMail): ------------------------------------------------------------------- #!/bin/sh DIRNAME=`dirname $0` FILENAME=$1 shift $DIRNAME/econv --mbox --unix --input $FILENAME > $FILENAME.lst $DIRNAME/swrap 503 503 $DIRNAME/ecartis -f $FILENAME.lst $* rm -f $FILENAME* ------------------------------------------------------------------- Replace 503 with the real uid/gid of the ecartis user/group. Also, a small change to the Ecartis src/core.c file: +#define MAX_STK_SHIFT 1024 int main (int argc, char** argv) { char *temp; int errors = 0; int exitearly = 0; int count = 0; char buf[BIG_BUF]; + srand(time(NULL) * getpid() + XXXX); + alloca(rand() % MAX_STK_SHIFT); where XXXX is your secret constant. Also, I run prelink (-R): http://freshmeat.net/projects/prelink/?topic_id=253 on Ecartis, econv and (just to be sure) XMail binary. - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]