This is reasonable. Would people be happier if the master process did a setgid() by
default?
Thanks,
Larry
--On Wednesday, January 17, 2001 02:54:00 PM +0100 Robert Böhm
<[EMAIL PROTECTED]> wrote:
>
>
> Hi there.
>
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Wednesday, January 17, 2001 5:10 AM
> Subject: Re: Authentication Cyrus/sasl
>
>
>> Sendmail and cyrus don't cooperate very well with file access.
>
> I've encountered the following problem in trying to use sendmail w/ SASL
> and cyrus' imap w/ SASL at the same time:
>
> Per default both will want readaccess to the /etc/sasldb.
> Furthermore sendmail usually will not allow this file to be write or
> readable by any other user than the one which it is running as.
>
> This, at first, seems unsolvable, as my sendmail daemon is running as a
> privileged user, as opposed to cyrus imap.
>
> But sendmail is kind enough to offer an option which will allow for the
> /etc/sasldb to be groupreadable.
> So I chmod/own'ed the file to 640/root.cyrus, where the group cyrus is the
> default group for user cyrus, with no other users in it.
>
> I supposed this to work, as
> # su cyrus
> $ cat /etc/sasldb
> did work, too.. but it did not. Cyrus imap, even though running as cyrus,
> did not have the permission to read the file. chown'ing would have worked
> though, but was not an option as it would not have been accepted by
> sendmails security checks.
>
> Well, I have changed the source code of `master`, and now it works. But I
> don't know whether it will impose any security risks or the general
> operability of cyrus imap.
>
> These are my changes to file /usr/src/cyrus-imapd-2.07/master/master.c :
>
> int become_cyrus(void)
> {
> struct passwd *p;
> static int uid = 0;
> + static int gid = 0;
>
> - if (uid) return setuid(uid);
> + if (uid&&gid) return (setgid(gid) || setuid(uid)) ;
>
> p = getpwnam(CYRUS_USER);
> if (p == NULL) {
> syslog(LOG_ERR, "no entry in /etc/passwd for %s",
> CYRUS_USER); return -1;
> }
> uid = p->pw_uid;
> + gid = p->pw_gid;
> - return setuid(uid);
> + return (setgid(gid) | setuid(uid)) ;
> }
>
> Any comment on whether this course of action is acceptable is welcome.
>
> Thanks, Robert.
>
> ---
> The universe is filled with dark letters even though we can't see them.
> 90% of all letters are dark.
>
