On Sat, 10 Mar 2001, Lawrence Greenfield wrote:
> This is reasonable. Would people be happier if the master process did a setgi
d() by default?
Larry, the short answer is "yes".
I've solved the problem below setting /etc/sasldb to root:bin, 640,
since the master process runs its children with gid = 1 (on Red Hat
Linux 6.2). But of course it'd better set the gid based on the passwd
entry. I'd suggest also giving the initgroups() function a try (but
it isn't any POSIX, IIRC).
Robert, you may need to compile sendmail -D_FFR_UNSAFE_SASL and set
the DontBlameSendmail option to groupreadablesaslfile in order to
get the above work.
If you need auto_transition: true you're in trouble, AFAIK. I can't
think of any solution but either running imapd as root or having two
different sasldb files.
>
> Thanks,
> Larry
>
> --On Wednesday, January 17, 2001 02:54:00 PM +0100 Robert Bvhm <Robert@connect
-franken.de> wrote:
>
> >
> >
> > Hi there.
> >
> > ----- Original Message -----
> > From: <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > Sent: Wednesday, January 17, 2001 5:10 AM
> > Subject: Re: Authentication Cyrus/sasl
> >
> >
> >> Sendmail and cyrus don't cooperate very well with file access.
> >
> > I've encountered the following problem in trying to use sendmail w/ SASL
> > and cyrus' imap w/ SASL at the same time:
> >
> > Per default both will want readaccess to the /etc/sasldb.
> > Furthermore sendmail usually will not allow this file to be write or
> > readable by any other user than the one which it is running as.
> >
> > This, at first, seems unsolvable, as my sendmail daemon is running as a
> > privileged user, as opposed to cyrus imap.
> >
> > But sendmail is kind enough to offer an option which will allow for the
> > /etc/sasldb to be groupreadable.
> > So I chmod/own'ed the file to 640/root.cyrus, where the group cyrus is the
> > default group for user cyrus, with no other users in it.
> >
> > I supposed this to work, as
> > # su cyrus
> > $ cat /etc/sasldb
> > did work, too.. but it did not. Cyrus imap, even though running as cyrus,
> > did not have the permission to read the file. chown'ing would have worked
> > though, but was not an option as it would not have been accepted by
> > sendmails security checks.
> >
> > Well, I have changed the source code of `master`, and now it works. But I
> > don't know whether it will impose any security risks or the general
> > operability of cyrus imap.
> >
> > These are my changes to file /usr/src/cyrus-imapd-2.07/master/master.c :
> >
> > int become_cyrus(void)
> > {
> > struct passwd *p;
> > static int uid = 0;
> > + static int gid = 0;
> >
> > - if (uid) return setuid(uid);
> > + if (uid&&gid) return (setgid(gid) || setuid(uid)) ;
> >
> > p = getpwnam(CYRUS_USER);
> > if (p == NULL) {
> > syslog(LOG_ERR, "no entry in /etc/passwd for %s",
> > CYRUS_USER); return -1;
> > }
> > uid = p->pw_uid;
> > + gid = p->pw_gid;
> > - return setuid(uid);
> > + return (setgid(gid) | setuid(uid)) ;
> > }
> >
> > Any comment on whether this course of action is acceptable is welcome.
> >
> > Thanks, Robert.
> >
> > ---
> > The universe is filled with dark letters even though we can't see them.
> > 90% of all letters are dark.
> >
>
>
>
>
>
.TM.
--
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ [EMAIL PROTECTED]
