Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Petre Rodan <kaiowas@g.o>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] qmailadmin, nosuid and tpe
Date: Fri, 04 May 2007 05:47:47
Message-Id: 20070504054547.GA7918@peter.bu.avira.com
In Reply to: [gentoo-hardened] qmailadmin, nosuid and tpe by Michael
1 hi,
2
3 On Thu, May 03, 2007 at 10:14:50PM +0200, Michael wrote:
4 > Hi all,
5 >
6 > On a hardened server which provides mail and web content I wanted to run
7 > qmailadmin. qmailadmin uses a binary in cgi-bin which is owned by user
8 > and group vpopmail, and has suid bit set. Before installing vpopmail I
9 > had my /var set to be mounted nosuid, because it'll be the first place
10 > any untrusted person might be able to have write access. So to make
11 > qmailadmin run from the cgi-bin I had to mount my /var without
12 > nosuid/with suid, which I'd like not to do, would there be any way
13 > around this?
14
15 AFAICT qmail is not even expected to run on a non-suid-ed /var. /var/qmail/bin/qmail-queue is a qmailq:qmail suid-ed binary.
16
17 and you should worry about /var/tmp not /var I guess.
18
19 > The next problem involves tpe (trusted path execution). I set up the
20 > wheel group as trusted group, so all other groups are untrusted. I think
21 > I might need to change this so a customer group will become untrusted
22 > and will contain the users that I don't trust, but if everything works
23 > this way (every group but wheel untrusted) I think that'd even be
24 > better... Now the problem is qmailadmin again... It's in the cgi-bin
25 > dir, which is owned by user and group apache, so apache has write access
26 > there. qmailadmin is owned by user and group vpopmail, so tpe says it's
27 > not safe for apache to execute qmailadmin. If I turn tpe off it works
28 > just fine, but of course I want tpe on.
29
30 you can add a different group just for TPE (not wheel) and as a worst case scenario set it as a supplementary group for all user id's that don't work well with it. but first try to tweak the unix permissions involved in the tpe denial.
31
32 bye,
33 peter
34
35 --
36 petre rodan
37 <kaiowas@g.o>
38 Developer,
39 Hardened Gentoo Linux

Replies

Subject Author
Re: [gentoo-hardened] qmailadmin, nosuid and tpe Michael <mycroes@××××××.nl>
Report Message
Find on MARC Find on Google Groups