On Mon, Jan 15, 2007 at 12:34:00AM +0700, Willy Mularto wrote:

* WARNING FOR THE ARCHIVES * DON'T DO THIS *

You didn't specify what version of sqwebmail you installed, but recent versions of sqwebmail come in two parts: a small CGI program, and a daemon (sqwebmaild). Actually, it looks like you have the daemon pool, so it must be moderately recent.

Now, the sqwebmail daemon only needs permissions to write down a socket to talk to the sqwebmaild process pool. That's the issue you needed to sort out. The CGI is setuid just so that it has rights to open this socket, but nobody else on the system can.

You should have only needed a much smaller set of changes than you actually made. Notice, for example, that chown'ing /usr/lib/sqwebmail to vpopmail.vchkpw is actually a big security hole, because if anyone ever manages to break into your system as user 'vpopmail', then they will be able to modify files in this directory. Since sqwebmaild runs as root, this in turn will give them an easy route to escalate their privileges.

So - I'm not disputing that what you did, made your system work. I'm simply advising that other people should *not* do what you did. They should investigate properly to find out the root cause of the problem (for example using 'strace' to see where the CGI was failing and why), and then make the minimum set of permission changes to allow it to work.

All binaries, and the directories which contain them, should be owned by 'root'.

FYI the options "--with-module-authvchkpw" and "--with-authvchkpw" are random inventions. Unknown configure options are ignored, and so don't do anything.

If you want to use authvchkpw, then this is asserted at the time you compile courier-authlib, not sqwebmail.

Regards,

Brian.