3 messages in net.sourceforge.lists.courier-sqwebmail[sqwebmail] sqwebpasswd installation bug
FromSent OnAttachments
Brian CandlerApr 23, 2005 3:33 am 
Sam VarshavchikApr 23, 2005 5:16 am 
Brian CandlerApr 23, 2005 6:35 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:[sqwebmail] sqwebpasswd installation bugActions...
From:Brian Candler (B.Ca@pobox.com)
Date:Apr 23, 2005 3:33:31 am
List:net.sourceforge.lists.courier-sqwebmail

[sqwebmail 5.0.1]

There is an installation bug which causes sqwebpasswd to be installed setgid wheel instead of setgid mail. This is likely to cause password changing to fail in many installations.

... chown: @mailuser@: Invalid argument gmake[6]: [install-exec-hook] Error 1 (ignored) chgrp: @mailgroup@: Invalid argument gmake[6]: [install-exec-hook] Error 1 (ignored) ...

At very least:

AC_SUBST(mailuser) AC_SUBST(mailgroup)

are missing, although I can't see how those values are set (presumably from the output of courierauthconfig somehow). In any case I don't have the right versions of autoconf and friends installed to test this out.

It does seem to me that sqwebpasswd is something of a system security hole, as it's unprotected and can bump you up into the wheel group (currently), or the mail group (when this bug is fixed). If all sqwebmail users are allowed to change their passwords then it would be equally secure (or more so) just to set courier-authlib's authdaemonvar directory to mode 755.

Regards,

Brian.