1 |
hi, |
2 |
|
3 |
On Thu, May 03, 2007 at 10:14:50PM +0200, Michael wrote: |
4 |
> Hi all, |
5 |
> |
6 |
> On a hardened server which provides mail and web content I wanted to run |
7 |
> qmailadmin. qmailadmin uses a binary in cgi-bin which is owned by user |
8 |
> and group vpopmail, and has suid bit set. Before installing vpopmail I |
9 |
> had my /var set to be mounted nosuid, because it'll be the first place |
10 |
> any untrusted person might be able to have write access. So to make |
11 |
> qmailadmin run from the cgi-bin I had to mount my /var without |
12 |
> nosuid/with suid, which I'd like not to do, would there be any way |
13 |
> around this? |
14 |
|
15 |
AFAICT qmail is not even expected to run on a non-suid-ed /var. /var/qmail/bin/qmail-queue is a qmailq:qmail suid-ed binary. |
16 |
|
17 |
and you should worry about /var/tmp not /var I guess. |
18 |
|
19 |
> The next problem involves tpe (trusted path execution). I set up the |
20 |
> wheel group as trusted group, so all other groups are untrusted. I think |
21 |
> I might need to change this so a customer group will become untrusted |
22 |
> and will contain the users that I don't trust, but if everything works |
23 |
> this way (every group but wheel untrusted) I think that'd even be |
24 |
> better... Now the problem is qmailadmin again... It's in the cgi-bin |
25 |
> dir, which is owned by user and group apache, so apache has write access |
26 |
> there. qmailadmin is owned by user and group vpopmail, so tpe says it's |
27 |
> not safe for apache to execute qmailadmin. If I turn tpe off it works |
28 |
> just fine, but of course I want tpe on. |
29 |
|
30 |
you can add a different group just for TPE (not wheel) and as a worst case scenario set it as a supplementary group for all user id's that don't work well with it. but first try to tweak the unix permissions involved in the tpe denial. |
31 |
|
32 |
bye, |
33 |
peter |
34 |
|
35 |
-- |
36 |
petre rodan |
37 |
<kaiowas@g.o> |
38 |
Developer, |
39 |
Hardened Gentoo Linux |