Qmail - Qmail-scanner - vpopmail - Big problem with permission
This is a discussion on Qmail - Qmail-scanner - vpopmail - Big problem with permission within the alt.comp.mail.qmail forums, part of the Mail Servers and Related category; Hello all, I have big problem with qmail-scanner. I use vpopmail with qmail. I setup qmail-scanner to run ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-11-2004
|
|||
|
|||
Qmail - Qmail-scanner - vpopmail - Big problem with permission
Hello all,
I have big problem with qmail-scanner. I use vpopmail with qmail. I setup qmail-scanner to run with user qscand but i have problems with permission and i change permisions to use as user vpopmail group vchkpw. It's work but when the message is error message and that must be return to sender qmail-scanner say: Jul 11 11:23:47 ns X-Qmail-Scanner-1.22: [] cannot create /var/spool/qmailscan/tmp - Permission denied Jul 11 11:23:47 ns X-Qmail-Scanner-1.22: [] cannot create /var/spool/qmailscan/archives - Permission denied I change owner of qmail-scanner to root with +s flag and all directories for qmail-scanner to be a+rwx but problem does not resolved. I read lots of documentation but i tryed a lot hints but problem does not resolve. Any body can help me? Regards, Condor 
|
|
07-11-2004
|
|||
|
|||
|
Re: Qmail - Qmail-scanner - vpopmail - Big problem with permission
John Doe wrote:
> Hello all, > > I have big problem with qmail-scanner. > I use vpopmail with qmail. I setup qmail-scanner to run with user qscand but > i have problems with permission and i > change permisions to use as user vpopmail group vchkpw. umm... why.. that's a Bad Idea. qmail-scanner runs as an entirely separate user for a few very good reasons: if, while breaking the email apart, an exploit is performed that attempts to modify files on your filesystem, the qscand user should not have any permission to do so, therefore the attempt is thwarted. if, while running a virus scanner, an exploit is performed, again, nothing will be affected (other than perhaps the qmail-scanner directories, which, isn't mission critical if some of those files get completely destroyed, as they can be regenerated, and any incoming emails that get destroyed will get deferred and tried again) now say, someone ran that exploit when you had qmail-scanner running as the vpopmail user, or as root as you said you had done. There can be a very huge impact on your system, and one that may not be easily recoverable. I will not go forth and tell you how to solve the problem you're having, simply because you should not attempt to do what you're doing. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. jeremy@inter7.com ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
|
|
07-12-2004
|
|||
|
|||
|
Re: Qmail - Qmail-scanner - vpopmail - Big problem with permission
"Jeremy Kitchen" <kitchen-usenet@scriptkitchen.com> wrote in message news:10f3g746ndrhd58@corp.supernews.com... > John Doe wrote: > > Hello all, > > > > I have big problem with qmail-scanner. > > I use vpopmail with qmail. I setup qmail-scanner to run with user qscand but > > i have problems with permission and i > > change permisions to use as user vpopmail group vchkpw. > > umm... why.. that's a Bad Idea. qmail-scanner runs as an entirely separate > user for a few very good reasons: > if, while breaking the email apart, an exploit is performed that attempts to > modify files on your filesystem, the qscand user should not have any > permission to do so, therefore the attempt is thwarted. > > if, while running a virus scanner, an exploit is performed, again, nothing > will be affected (other than perhaps the qmail-scanner directories, which, > isn't mission critical if some of those files get completely destroyed, as > they can be regenerated, and any incoming emails that get destroyed will get > deferred and tried again) > > now say, someone ran that exploit when you had qmail-scanner running as the > vpopmail user, or as root as you said you had done. There can be a very huge > impact on your system, and one that may not be easily recoverable. > > I will not go forth and tell you how to solve the problem you're having, > simply because you should not attempt to do what you're doing. > > -Jeremy Yea, i know, but the problem is that if i setup qmail-scanner normal as user qscand is work to one moment, that if message must be return to sender and the qmail-scanner is runned from user qmails not qscand and error is : Jul 12 06:47:53 ns X-Qmail-Scanner-1.22: [ns108960407347928751] cannot open /var/spool/qmailscan/qmail-scanner-queue-version.txt - did you initialise the system by running "qmail-scanner-queue.pl -z"? - Permission denied or X-Qmail-Scanner-1.22:[] cannot create /var/spool/qmailscan/tmp - Permission denied This error i see only if user not exist on server and email must be returned to sender. This is the problem and for this i want some body to help me if know how to fix this. I use env QMAILQUEUE not direct replace qmail-queue. Regards, John
|
|
07-13-2004
|
|||
|
|||
|
Re: Qmail - Qmail-scanner - vpopmail - Big problem with permission
"John Doe" <axam@vcable.net> wrote in message news:64r9s1-3s7.ln1@ns.ixip.net... > > "Jeremy Kitchen" <kitchen-usenet@scriptkitchen.com> wrote in message > news:10f3g746ndrhd58@corp.supernews.com... > > John Doe wrote: > > > Hello all, > > > > > > I have big problem with qmail-scanner. > > > I use vpopmail with qmail. I setup qmail-scanner to run with user qscand > but > > > i have problems with permission and i > > > change permisions to use as user vpopmail group vchkpw. > > > > umm... why.. that's a Bad Idea. qmail-scanner runs as an entirely > separate > > user for a few very good reasons: > > if, while breaking the email apart, an exploit is performed that attempts > to > > modify files on your filesystem, the qscand user should not have any > > permission to do so, therefore the attempt is thwarted. > > > > if, while running a virus scanner, an exploit is performed, again, nothing > > will be affected (other than perhaps the qmail-scanner directories, which, > > isn't mission critical if some of those files get completely destroyed, as > > they can be regenerated, and any incoming emails that get destroyed will > get > > deferred and tried again) > > > > now say, someone ran that exploit when you had qmail-scanner running as > the > > vpopmail user, or as root as you said you had done. There can be a very > huge > > impact on your system, and one that may not be easily recoverable. > > > > I will not go forth and tell you how to solve the problem you're having, > > simply because you should not attempt to do what you're doing. > > > > -Jeremy > > Yea, i know, but the problem is that if i setup qmail-scanner normal as user > qscand > is work to one moment, that if message must be return to sender and the > qmail-scanner > is runned from user qmails not qscand and error is : > Jul 12 06:47:53 ns X-Qmail-Scanner-1.22: [ns108960407347928751] cannot open > /var/spool/qmailscan/qmail-scanner-queue-version.txt - did you initialise > the system by running "qmail-scanner-queue.pl -z"? - Permission denied > or > X-Qmail-Scanner-1.22:[] cannot create /var/spool/qmailscan/tmp - Permission > denied > > This error i see only if user not exist on server and email must be returned > to sender. > This is the problem and for this i want some body to help me if know how to > fix this. > I use env QMAILQUEUE not direct replace qmail-queue. > > > Regards, > John > > The problem is resolved. Regards, John
|
Linear Mode
