[vchkpw] setting permissions in pipe execution
Hi all, I am currently using a .qmail- file in a domain directory to pipe the contents of a message into a script on my server for local processing. Is there any way to control under which uid/gid this script executes? The reason being that it needs write access to a protected file on the system which is not accessible to my vpopmail user. I am fairly new to the whole qmail and vpopmail setup, so forgive me if this question has an obvious answer. I have looked through the FAQs and poked around in the mailing list a fair amount, but have not been able to figure it out. Thanks, Finn
Re: [vchkpw] setting permissions in pipe execution
On Apr 12, 2005 6:42 AM, Tom Collins <[EMAIL PROTECTED]> wrote: > On Apr 12, 2005, at 12:34 AM, Finn Smith wrote: > > I am currently using a .qmail- file in a domain directory to > > pipe the contents of a message into a script on my server for local > > processing. Is there any way to control under which uid/gid this > > script executes? The reason being that it needs write access to a > > protected file on the system which is not accessible to my vpopmail > > user. > > Not really. The programs in a .qmail file are executed with the same > ownership as the emailbox. > > You could set the suid-bit on the program called in the .qmail-user > file so that the program (or script) runs as the user you want, but > you'll also want to make sure that the program/script can only be > executed by the vpopmail user (more likely, the vchkpw group) and > doesn't open up any security problems. Thanks, Tom. This is more or less the answer I expected to get. I will just have to write a little suid wrapper script to handle this. -F
Re: [vchkpw] setting permissions in pipe execution
On 4/12/05, Finn Smith <[EMAIL PROTECTED]> wrote: > On Apr 12, 2005 6:42 AM, Tom Collins <[EMAIL PROTECTED]> wrote: > > On Apr 12, 2005, at 12:34 AM, Finn Smith wrote: > > > I am currently using a .qmail- file in a domain directory to > > > pipe the contents of a message into a script on my server for local > > > processing. Is there any way to control under which uid/gid this > > > script executes? The reason being that it needs write access to a > > > protected file on the system which is not accessible to my vpopmail > > > user. > > > > Not really. The programs in a .qmail file are executed with the same > > ownership as the emailbox. > > > > You could set the suid-bit on the program called in the .qmail-user > > file so that the program (or script) runs as the user you want, but > > you'll also want to make sure that the program/script can only be > > executed by the vpopmail user (more likely, the vchkpw group) and > > doesn't open up any security problems. > > Thanks, Tom. This is more or less the answer I expected to get. I will > just have to write a little suid wrapper script to handle this. If anyone's interested, the solution I found for this was to use sudo and the sudoers file. I simply set it so that vpopmail could execute my script without typing a password and so the script would be executed as the proper user. Then I put "| sudo /path/to/my/script" in my .qmail- file. It works great. -F
