Josip Rodin writes:
On Thu, Jan 14, 2010 at 10:52:55PM -0500, Sam Varshavchik wrote:
OK, it works when I put it in the first block, where it first does setuid()
because of the delivery mode. Then the subprocess gets the group mail.
You must be referring to the following.
After giving this an
On Thu, Jan 14, 2010 at 10:52:55PM -0500, Sam Varshavchik wrote:
>> OK, it works when I put it in the first block, where it first does setuid()
>> because of the delivery mode. Then the subprocess gets the group mail.
>
> You must be referring to the following.
>
> After giving this another good lo
Josip Rodin writes:
On Wed, Jan 13, 2010 at 07:44:07PM -0500, Sam Varshavchik wrote:
Let's try the following patch. I do appreciate your help in testing it.
It's not easy for me to test all possible permutations of distro-specific
configurations, and platform-specific nuances, that float aroun
On Wed, Jan 13, 2010 at 07:44:07PM -0500, Sam Varshavchik wrote:
> Let's try the following patch. I do appreciate your help in testing it.
> It's not easy for me to test all possible permutations of distro-specific
> configurations, and platform-specific nuances, that float around.
>
> diff -U3 -
On Wed, Jan 13, 2010 at 07:44:07PM -0500, Sam Varshavchik wrote:
> Let's try the following patch. I do appreciate your help in testing it.
> It's not easy for me to test all possible permutations of distro-specific
> configurations, and platform-specific nuances, that float around.
>
> diff -U3 -
Josip Rodin writes:
On Wed, Jan 13, 2010 at 07:13:38AM -0500, Sam Varshavchik wrote:
Maybe, maybe not. Instead of invoking 'id' as a child process of
maildrop, try just having maildrop deliver a test message to a new
mailbox, and see what the ownership of the new file becomes.
That part is f
On Wed, Jan 13, 2010 at 07:13:38AM -0500, Sam Varshavchik wrote:
% id testmaildrop
uid=1006(testmaildrop) gid=1006(testmaildrop) groups=1006(testmaildrop)
uid=1006(testmaildrop) gid=0(root) groups=0(root)
That's the problem. After using -d, it changes the user but not the group.
Josip Rodin writes:
On Tue, Jan 12, 2010 at 08:02:31PM -0500, Sam Varshavchik wrote:
% id testmaildrop
uid=1006(testmaildrop) gid=1006(testmaildrop) groups=1006(testmaildrop)
uid=1006(testmaildrop) gid=0(root) groups=0(root)
That's the problem. After using -d, it changes the user but not the gr
On Tue, Jan 12, 2010 at 08:02:31PM -0500, Sam Varshavchik wrote:
>> % id testmaildrop
>> uid=1006(testmaildrop) gid=1006(testmaildrop) groups=1006(testmaildrop)
>> uid=1006(testmaildrop) gid=0(root) groups=0(root)
>> That's the problem. After using -d, it changes the user but not the group.
>> Can
Josip Rodin writes:
On Tue, Jan 12, 2010 at 05:54:56PM -0500, Sam Varshavchik wrote:
Josip Rodin writes:
On Tue, Jan 12, 2010 at 07:13:50AM -0500, Sam Varshavchik wrote:
# authtest mr...@courier-mta.com
Authentication succeeded.
Authenticated: mr...@courier-mta.com (uid 8, gid 12)
Ho
On Tue, Jan 12, 2010 at 05:54:56PM -0500, Sam Varshavchik wrote:
> Josip Rodin writes:
>> On Tue, Jan 12, 2010 at 07:13:50AM -0500, Sam Varshavchik wrote:
>>> # authtest mr...@courier-mta.com
>>> Authentication succeeded.
>>>
>>> Authenticated: mr...@courier-mta.com (uid 8, gid 12)
>>>Home
Josip Rodin writes:
On Tue, Jan 12, 2010 at 07:13:50AM -0500, Sam Varshavchik wrote:
# authtest mr...@courier-mta.com
Authentication succeeded.
Authenticated: mr...@courier-mta.com (uid 8, gid 12)
Home Directory: /var/spool/maildir/mrsam
Maildir: (none)
Quota: (no
On Tue, Jan 12, 2010 at 07:13:50AM -0500, Sam Varshavchik wrote:
> # authtest mr...@courier-mta.com
> Authentication succeeded.
>
> Authenticated: mr...@courier-mta.com (uid 8, gid 12)
>Home Directory: /var/spool/maildir/mrsam
> Maildir: (none)
> Quota: (none)
> Encry
Josip Rodin writes:
On Mon, Jan 11, 2010 at 09:56:21PM -0500, Sam Varshavchik wrote:
Christoph Anton Mitterer writes:
On Sun, 2010-01-10 at 12:29 -0500, Sam Varshavchik wrote:
This depends on the maildrop configuration, but generally setgroupid
won't have any effect if maildrop is invoked as
On Mon, Jan 11, 2010 at 09:56:21PM -0500, Sam Varshavchik wrote:
> Christoph Anton Mitterer writes:
>> On Sun, 2010-01-10 at 12:29 -0500, Sam Varshavchik wrote:
>>> This depends on the maildrop configuration, but generally setgroupid
>>> won't have any effect if maildrop is invoked as root, since
Christoph Anton Mitterer writes:
On Sun, 2010-01-10 at 12:29 -0500, Sam Varshavchik wrote:
This depends on the maildrop configuration, but generally setgroupid won't
have any effect if maildrop is invoked as root, since maildrop will use the
userid specified by the -d option to set its running
On Sun, 2010-01-10 at 12:29 -0500, Sam Varshavchik wrote:
> This depends on the maildrop configuration, but generally setgroupid won't
> have any effect if maildrop is invoked as root, since maildrop will use the
> userid specified by the -d option to set its running group and userid
> anyway.
U
Josip Rodin writes:
On Sun, Jan 10, 2010 at 05:06:56PM +0100, Christoph Anton Mitterer wrote:
Not sure if this actually a hole or if I just misunderstand
something,... but:
In debian /usr/bin/maildrop ist installed:
-rwxr-sr-x 1 root mail 163k Nov 9 01:11 /usr/bin/maildrop
So I'd expect that
On Sun, Jan 10, 2010 at 05:06:56PM +0100, Christoph Anton Mitterer wrote:
> Not sure if this actually a hole or if I just misunderstand
> something,... but:
>
> In debian /usr/bin/maildrop ist installed:
> -rwxr-sr-x 1 root mail 163k Nov 9 01:11 /usr/bin/maildrop
>
> So I'd expect that the follo
Package: maildrop
Justification: user security hole
Severity: grave
Tags: security
Hi.
Not sure if this actually a hole or if I just misunderstand
something,... but:
In debian /usr/bin/maildrop ist installed:
-rwxr-sr-x 1 root mail 163k Nov 9 01:11 /usr/bin/maildrop
So I'd expect that the foll
20 matches
Mail list logo
