9 messages in net.sourceforge.lists.courier-maildropRe: [maildropl] Maildrop and UID/GID ...
FromSent OnAttachments
Nathan FrankishJul 1, 2007 4:48 am 
moussJul 1, 2007 2:12 pm 
Nathan FrankishJul 1, 2007 6:35 pm 
Devin RubiaJul 3, 2007 7:01 am 
Tony EarnshawJul 4, 2007 1:32 am 
Nathan FrankishJul 4, 2007 1:45 am 
Tony EarnshawJul 4, 2007 1:51 am 
Sam VarshavchikJul 4, 2007 5:45 am 
Tony EarnshawJul 4, 2007 6:35 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [maildropl] Maildrop and UID/GID SettingsActions...
From:Nathan Frankish (nf+c@our-lan.com)
Date:Jul 4, 2007 1:45:15 am
List:net.sourceforge.lists.courier-maildrop

Tony Earnshaw wrote:

Devin Rubia skrev, on 03-07-2007 16:01:

[...]

[SNIP]

From main.C:

static int callback_authlib(struct authinfo *auth, void *void_arg) { [SNIP] setgroupid(auth->sysgroupid); [SNIP] setuid(u); [SNIP] }

Short answer: Yes, maildrop will change to the uid/gid specified by authlib. In fact, it depends on it and will EX_TEMPFAIL if it cannot setuid or cannot find the system user specified (setgid doesn't appear to be tested, though).

In practice this doesn't work without the setuid bit being on. As maildrop is delivered in the rpm (at any rate), the perms are 555; on my rigs maildrop will not change UID to my virtual user, vmail, without suid. I use 6555, that works. Obviously I have this user as global UID/GID in authdaemon's authldaprc.

--Tonni

Tony Earnshaw wrote:

Devin Rubia skrev, on 03-07-2007 16:01:

[...]

[SNIP]

From main.C:

static int callback_authlib(struct authinfo *auth, void *void_arg) { [SNIP] setgroupid(auth->sysgroupid); [SNIP] setuid(u); [SNIP] }

Short answer: Yes, maildrop will change to the uid/gid specified by authlib. In fact, it depends on it and will EX_TEMPFAIL if it cannot setuid or cannot find the system user specified (setgid doesn't appear to be tested, though).

In practice this doesn't work without the setuid bit being on. As maildrop is delivered in the rpm (at any rate), the perms are 555; on my rigs maildrop will not change UID to my virtual user, vmail, without suid. I use 6555, that works. Obviously I have this user as global UID/GID in authdaemon's authldaprc.

--Tonni

Forgive my ignorance/unsureness, when you say that it needs the setuid bit (i assume you mean the maildrop executeable), doesnt that mean it runs as the user that owns the file? Or does that mean its allowed to run and then change into the correct user? Or have i missed something completely?

If i have different uids/gids that i would expect maildrop to change into, i assume it would have to run as root, unless i am mistaken

Thanks for everyones help so far