Thread: Qmail - Qmail-scanner - vpopmail - Big problem with permission
View Single Post

  #3 (permalink)  
Old 07-12-2004
John Doe
 
Posts: n/a
Default Re: Qmail - Qmail-scanner - vpopmail - Big problem with permission

"Jeremy Kitchen" <kitchen-usenet@scriptkitchen.com> wrote in message
news:10f3g746ndrhd58@corp.supernews.com...
> John Doe wrote:
> > Hello all,
> >
> > I have big problem with qmail-scanner.
> > I use vpopmail with qmail. I setup qmail-scanner to run with user qscand
but
> > i have problems with permission and i
> > change permisions to use as user vpopmail group vchkpw.
>
> umm... why.. that's a Bad Idea. qmail-scanner runs as an entirely
separate
> user for a few very good reasons:
> if, while breaking the email apart, an exploit is performed that attempts
to
> modify files on your filesystem, the qscand user should not have any
> permission to do so, therefore the attempt is thwarted.
>
> if, while running a virus scanner, an exploit is performed, again, nothing
> will be affected (other than perhaps the qmail-scanner directories, which,
> isn't mission critical if some of those files get completely destroyed, as
> they can be regenerated, and any incoming emails that get destroyed will
get
> deferred and tried again)
>
> now say, someone ran that exploit when you had qmail-scanner running as
the
> vpopmail user, or as root as you said you had done. There can be a very
huge
> impact on your system, and one that may not be easily recoverable.
>
> I will not go forth and tell you how to solve the problem you're having,
> simply because you should not attempt to do what you're doing.
>
> -Jeremy

Yea, i know, but the problem is that if i setup qmail-scanner normal as user
qscand
is work to one moment, that if message must be return to sender and the
qmail-scanner
is runned from user qmails not qscand and error is :
Jul 12 06:47:53 ns X-Qmail-Scanner-1.22: [ns108960407347928751] cannot open
/var/spool/qmailscan/qmail-scanner-queue-version.txt - did you initialise
the system by running "qmail-scanner-queue.pl -z"? - Permission denied
or
X-Qmail-Scanner-1.22:[] cannot create /var/spool/qmailscan/tmp - Permission
denied

This error i see only if user not exist on server and email must be returned
to sender.
This is the problem and for this i want some body to help me if know how to
fix this.
I use env QMAILQUEUE not direct replace qmail-queue.


Regards,
John


Reply With Quote