5 messages in net.sourceforge.lists.courier-sqwebmailRe: [sqwebmail] The webmail system is...
FromSent OnAttachments
Willy MulartoJan 14, 2007 9:00 am 
Willy MulartoJan 14, 2007 9:33 am 
Brian CandlerJan 14, 2007 1:28 pm 
sang...@gmail.comJan 14, 2007 7:12 pm 
Brian CandlerJan 15, 2007 12:36 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [sqwebmail] The webmail system is temporarily unavailable. An error occured in function write: Transport endpoint is not connectedActions...
From:sang...@gmail.com (sang@gmail.com)
Date:Jan 14, 2007 7:12:05 pm
List:net.sourceforge.lists.courier-sqwebmail

Hi Brian,

Thanks for your information, what is your suggestion to solve this out? Many thanks again.

Regards

uYe http://www.sangprabv.net http://www.binbit.co.id

----- Original Message ----- From: "Brian Candler" <B.Ca@pobox.com> To: "Willy Mularto" <sang@gmail.com> Cc: <cour@lists.sourceforge.net> Sent: Monday, January 15, 2007 4:29 AM Subject: Re: [sqwebmail] The webmail system is temporarily unavailable. An error occured in function write: Transport endpoint is not connected

On Mon, Jan 15, 2007 at 12:34:00AM +0700, Willy Mularto wrote:

Finally I solved this problem, and maybe it can helps others who use Trustix Secure Linux 30. Please follow these steps: - chmod -s /home/httpd/cgi-bin/sqwebmail - chown vpopmail.vchkpw /home/httpd/cgi-bin/sqwebmail - chown -Rf vpopmail.vchkpw /usr/lib/sqwebmail - vi /usr/local/etc/authlib/authdaemonrc, and modify authmodulelist="authvchkpw" authmodulelistorig="authvchkpw" - restart courier-authlib and sqwebmaild

* WARNING FOR THE ARCHIVES * DON'T DO THIS *

You didn't specify what version of sqwebmail you installed, but recent versions of sqwebmail come in two parts: a small CGI program, and a daemon (sqwebmaild). Actually, it looks like you have the daemon pool, so it must be moderately recent.

Now, the sqwebmail daemon only needs permissions to write down a socket to talk to the sqwebmaild process pool. That's the issue you needed to sort out. The CGI is setuid just so that it has rights to open this socket, but nobody else on the system can.

You should have only needed a much smaller set of changes than you actually made. Notice, for example, that chown'ing /usr/lib/sqwebmail to vpopmail.vchkpw is actually a big security hole, because if anyone ever manages to break into your system as user 'vpopmail', then they will be able to modify files in this directory. Since sqwebmaild runs as root, this in turn will give them an easy route to escalate their privileges.

So - I'm not disputing that what you did, made your system work. I'm simply advising that other people should *not* do what you did. They should investigate properly to find out the root cause of the problem (for example using 'strace' to see where the CGI was failing and why), and then make the minimum set of permission changes to allow it to work.

All binaries, and the directories which contain them, should be owned by 'root'.

--enable-imageurl=/images/sqwebmail --with-module-authvchkpw --sysconfdir=/etc/sqwebmail --with-authvchkpw

FYI the options "--with-module-authvchkpw" and "--with-authvchkpw" are random inventions. Unknown configure options are ignored, and so don't do anything.

If you want to use authvchkpw, then this is asserted at the time you compile courier-authlib, not sqwebmail.

Regards,

Brian.