Just some input here:
If Peter is running the debian packages or uses a similar permission setup that
would also explain his troubles. In debian the dbmail.conf is installed 0600 and
owned by root.
M. J. [Mike] O'Brien wrote:
Hey Peter:
dbmail-adduser runs as guest fresh out of gmake. It relies on MySQL username
and pass in dbmail.conf.
I just slapped DbMail onto a file server that has only a mysql40-client and
the dbmail.conf pointing to an external cluster. Logged out and in as
guest:guest and 'dbmail-adduser s' accessed the remote MySQL servers. I then
used 'dbmail-adduser a' to add a user and alias and it did.
Which is a seriously hazardous situation. This means anyone with shell access on
your machine can wreck havoc in your dbmail userdb, thereby possibly deleting
all your mail.
Unless noone has any kind of access to your webserver or shellserver you should
avoid this setup. Almost as bad as running apache as root :-)
Imagine mr. blackhat installing a php script or cgi that has system/exec
permissions, thereby gaining access to dbmail-adduser...
IMO you should either clamp down on dbmail.conf's mode, and/or restrict access
to dbmail-adduser.
Somekind of suexec setup is the only safe path here.
--
________________________________________________________________
Paul Stevens [EMAIL PROTECTED]
NET FACILITIES GROUP GPG/PGP: 1024D/11F8CD31
The Netherlands_______________________________________www.nfg.nl
