On Mon, Sep 20, 2004 at 08:33:16AM -0700, Chris Wilkes wrote:
> Hi All,
>
> I noticed that when sending a file that I attached with an absolute
> pathname via Perl's MIME::Lite's Path and Filename attributes q-s 1.23
> would try and create the file with the same exact file structure.
> So if on my mail server I did a
> touch /tmp/blah.txt
> chown root /tmp/blah.txt ; chmod 000 /tmp/blah.txt
> and then on my client I attached the file via a perl script:
> $msg = MIME::Lite->new();
> $file = "/tmp/blah.txt";
> $msg->attach(
> Path => $file,
> Filename => $file,
> Disposition => 'attachment'
> );
> I would get the following error:
> error_condition: X-Qmail-Scanner-1.23: owner of unpacked files (uid=0)
> doesn't match UID of Qmail-Scanner (uid=520) - can't expect this to
> work. Fix whatever is creating files with uid=0 (like "/tmp/blah.txt")
> where I filled in the $filepath part for debugging purposes.
>
> If I attached it without the complete path:
> $file = "blah.txt";
> it makes it through.
>
> Now if I sent it a file with a pathname that doesn't exist on the
> server, for example:
> $file = "/path/thats/not/on/server/blah.txt"
> q-s makes it through the tests. However if I create that directory
> structure and file on the server:
> mkdir -p /path/thats/not/on/server
> touch /path/thats/not/on/server/blah.txt
> then q-s tries to access that file.
>
> Has anyone else seen this? q-s 1.22 doesn't appear to have this same
> issue.
Looking at the q-s code here:
#Stat'ing attachment names from @attachment_list will fail on filenames that
reformime rewrites
#that's OK, as they'll still be picked up via their new filename
($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$atime,$mtime,$ctime,$blksize,$blocks)
= stat("$filepath");
#As you stat virtual files as well as real ones, you can't do this check against
virtual files...
if (0 && $effective_uid ne "" && $uid ne "" && $uid != $effective_uid) {
...
It looks like $filepath (which will be whatever the mime header says it
is) is only checked here, so I disabled this check to get 1.23 to work.
I'm able to send good files (like /etc/hosts) through and bad ones
(/tmp/virus.txt where /tmp/virus.txt exists on the server). What is
this check done for?
Chris
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
