| 1 |
Hi all, |
| 2 |
|
| 3 |
Op vrijdag 04-05-2007 om 08:45 uur [tijdzone +0300], schreef Petre |
| 4 |
Rodan: |
| 5 |
> hi, |
| 6 |
> |
| 7 |
> On Thu, May 03, 2007 at 10:14:50PM +0200, Michael wrote: |
| 8 |
> > Hi all, |
| 9 |
> > |
| 10 |
> > On a hardened server which provides mail and web content I wanted to run |
| 11 |
> > qmailadmin. qmailadmin uses a binary in cgi-bin which is owned by user |
| 12 |
> > and group vpopmail, and has suid bit set. Before installing vpopmail I |
| 13 |
> > had my /var set to be mounted nosuid, because it'll be the first place |
| 14 |
> > any untrusted person might be able to have write access. So to make |
| 15 |
> > qmailadmin run from the cgi-bin I had to mount my /var without |
| 16 |
> > nosuid/with suid, which I'd like not to do, would there be any way |
| 17 |
> > around this? |
| 18 |
> |
| 19 |
> AFAICT qmail is not even expected to run on a non-suid-ed /var. /var/qmail/bin/qmail-queue is a qmailq:qmail suid-ed binary. |
| 20 |
|
| 21 |
Good point, I guess you're very right on that one... |
| 22 |
|
| 23 |
> and you should worry about /var/tmp not /var I guess. |
| 24 |
|
| 25 |
Customers will have write access with PHP, at least in some part |
| 26 |
of /var/www. So there it's more than just /var/tmp in my case, however |
| 27 |
they shouldn't be able to create any suid files anyway. |
| 28 |
|
| 29 |
> > The next problem involves tpe (trusted path execution). I set up the |
| 30 |
> > wheel group as trusted group, so all other groups are untrusted. I think |
| 31 |
> > I might need to change this so a customer group will become untrusted |
| 32 |
> > and will contain the users that I don't trust, but if everything works |
| 33 |
> > this way (every group but wheel untrusted) I think that'd even be |
| 34 |
> > better... Now the problem is qmailadmin again... It's in the cgi-bin |
| 35 |
> > dir, which is owned by user and group apache, so apache has write access |
| 36 |
> > there. qmailadmin is owned by user and group vpopmail, so tpe says it's |
| 37 |
> > not safe for apache to execute qmailadmin. If I turn tpe off it works |
| 38 |
> > just fine, but of course I want tpe on. |
| 39 |
> |
| 40 |
> you can add a different group just for TPE (not wheel) and as a worst case scenario set it as a supplementary group for all user id's that don't work well with it. but first try to tweak the unix permissions involved in the tpe denial. |
| 41 |
|
| 42 |
I can't really change anything about the permissions for that certain |
| 43 |
file, because it needs to be run as vpopmail to have access to some of |
| 44 |
the vpopmail commands. Your idea about the supplemental group is a good |
| 45 |
one, I'll keep it in mind if I run into more problems. |
| 46 |
|
| 47 |
> bye, |
| 48 |
> peter |
| 49 |
|
| 50 |
Thanks, |
| 51 |
|
| 52 |
Michael Croes |
| 53 |
|
| 54 |
-- |
| 55 |
gentoo-hardened@g.o mailing list |
Archives