| 1 |
Hi all, |
| 2 |
|
| 3 |
On a hardened server which provides mail and web content I wanted to run |
| 4 |
qmailadmin. qmailadmin uses a binary in cgi-bin which is owned by user |
| 5 |
and group vpopmail, and has suid bit set. Before installing vpopmail I |
| 6 |
had my /var set to be mounted nosuid, because it'll be the first place |
| 7 |
any untrusted person might be able to have write access. So to make |
| 8 |
qmailadmin run from the cgi-bin I had to mount my /var without |
| 9 |
nosuid/with suid, which I'd like not to do, would there be any way |
| 10 |
around this? |
| 11 |
|
| 12 |
The next problem involves tpe (trusted path execution). I set up the |
| 13 |
wheel group as trusted group, so all other groups are untrusted. I think |
| 14 |
I might need to change this so a customer group will become untrusted |
| 15 |
and will contain the users that I don't trust, but if everything works |
| 16 |
this way (every group but wheel untrusted) I think that'd even be |
| 17 |
better... Now the problem is qmailadmin again... It's in the cgi-bin |
| 18 |
dir, which is owned by user and group apache, so apache has write access |
| 19 |
there. qmailadmin is owned by user and group vpopmail, so tpe says it's |
| 20 |
not safe for apache to execute qmailadmin. If I turn tpe off it works |
| 21 |
just fine, but of course I want tpe on. |
| 22 |
|
| 23 |
How do you work around these problems? Did you own the apache cgi-bin |
| 24 |
(that's where qmailadmin lives) by user root and gave group ro access? I |
| 25 |
think that would solve the problem as far as tpe is concerned... |
| 26 |
|
| 27 |
Some help would be very welcome. |
| 28 |
Regards, |
| 29 |
|
| 30 |
Michael Croes |
| 31 |
|
| 32 |
-- |
| 33 |
gentoo-hardened@g.o mailing list |
Archives