1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#259246: acknowledged by developer (openwebmail: permissions) (1/2)

    From Sergio Rua@1:229/2 to Dariush Pietrzak on Thu Aug 12 17:10:13 2004
    From: [email protected]

    Hello,

    I see how you did it now. But it wouldn't work for most of the
    people that are using the standard /var/mail for mailboxes storage.
    Also most of the people use owm in conjuction with other mail readers
    (imap, pop3, local).

    Even if it would be really good to have this choice, it would
    need a long period of development to satisfy anybody's needs. I regret
    to say that this is a special configuration that can't be considered for a Debian package.

    Thank you very much.



    On Aug/12/2004, Dariush Pietrzak wrote:

    It's been more then a year that I've been using openwebmail without root in multiple locations. I already described this setup.

    I've tried and it didn't work at all.
    What exactly didn't work?

    It needs to be root in advance to later on change the euid to the loged
    why would you want to change the euid to the loged user? This is webmail,
    it only needs to read and send mail.

    Because openwebmail reads and writes in Mailboxes. These mailboxes have
    an owner. Openwebmail do login, change the euid to the owner of the

    These Mailboxes are created by openwebmail, thus, if it won't change their owner, it won't have to keep changing it.

    This has this disadvantage that if someone manages to brake into openwebmail, they can read mail of other people ( because ALL data is owned by one single user, be it www-data or owm or openwebmail.
    www-data has this disadvantage that anyone with ability to run code as www-data can read mail. That's where suexec comes to rescue ),
    but, if the same persons manages to brake into openwebmail, and it's
    running as root...


    Could you detail your configuration and send me an 'ls -l' or you *.pl files?
    I create user owm, then perform the installation as this user ( this is
    straightforward with installation in ~/public_html/ as suexec recognizes
    /~owm/cgi... requests and runs them as owm user, with production setup I
    had to create virtual server to tell suexec which requests to run as owm ).
    Next, I configure owm to use pop3 authentication, disallow changing
    password etc.., then the only hurdle comes - when someone logins for the first time, owm creates maildir for her, and then tries to chown it to her userid ( which is funny, because few lines earlier it checks if it is
    running as root, and does few things differently...), anyhoo, one need to change those lines... the simplest way is to add this:

    sub owchown {
    if ( $>==0 ) { # switch to uuid:mailgid if script
    # is setuid root.
    chown(@_);
    } else {
    return 1;
    };
    };


    to shares/ow-shared.pl, and then replace all calls to 'chown' in openwebmail.pl to 'owchown'.
    ( Without this change you'll have to create maildirs for your users
    yourself ).


    This is basic, working setup. It should satisfy most needs, it leaves few features inaccessible ( like changing your password )...

    /usr/lib/cgi-bin/openwebmail# ls -l
    total 900
    drwxr-xr-x 2 root root 4096 Jul 15 20:38 auth
    drwxr-xr-x 6 www-data root 4096 Jul 15 20:39 etc
    drwxr-xr-x 2 root root 4096 Jul 15 20:38 modules
    -rwxr-xr-x 1 www-data www-data 38172 Jul 13 18:19 openwebmail-abook.pl -rwxr-xr-x 1 www-data www-data 24181 Jul 13 18:19 openwebmail-advsearch.pl
    -rwxr-xr-x 1 www-data www-data 112376 Jul 13 18:19 openwebmail-cal.pl -rwxr-xr-x 1 www-data www-data 22999 Jul 13 18:19 openwebmail-folder.pl -rwxr-xr-x 1 www-data www-data 63003 Jul 13 18:19 openwebmail-main.pl -rwxr-xr-x 1 www-data www-data 127548 Jul 13 18:19 openwebmail-prefs.pl -rwxr-xr-x 1 www-data www-data 61629 Jul 13 18:19 openwebmail-read.pl -rwxr-xr-x 1 www-data www-data 105746 Jul 13 18:19 openwebmail-send.pl -rwxr-xr-x 1 www-data www-data 24714 Jul 13 18:19 openwebmail-spell.pl -rwxr-xr-x 1 www-data www-data 52260 Jul 13 18:19 openwebmail-tool.pl -rwxr-xr-x 1 www-data www-data 48620 Jul 13 18:19 openwebmail-vdomain.pl
    -rwxr-xr-x 1 www-data www-data 18610 Jul 13 18:19 openwebmail-viewatt.pl
    -rwxr-xr-x 1 www-data www-data 109764 Jul 13 18:19 openwebmail-webdisk.pl
    -rwxr-xr-x 1 www-data www-data 31966 Jul 15 20:50 openwebmail.pl -rwxr-xr-x 1 www-data www-data 4756 Apr 11 22:08 preload.pl
    drwxr-xr-x 2 root root 61 Jul 15 20:38 quota
    drwxr-xr-x 2 root root 4096 Jul 15 20:50 shares
    -rwxr-xr-x 1 www-data www-data 4151 May 8 05:07 userstat.pl -rwxr-xr-x 1 www-data www-data 18228 Apr 11 22:08 vacation.pl

    and

    /var/spool/openwebmail/spool:
    total 142640
    -rw------- 1 www-data www-data 1013623 Aug 11 00:53 adam
    -rw------- 1 www-data www-data 0 Jul 20 12:26 artone
    -rw------- 1 www-data www-data 0 Aug 2 19:49 bartekflis
    -rw------- 1 www-data www-data 114829 Aug 7 19:32 chomik
    ...

    /var/spool/openwebmail/users:
    total 0
    drwx------ 4 www-data www-data 36 Aug 3 14:02 adam
    drwx------ 4 www-data www-data 36 Jul 20 12:26 artone
    drwx------ 4 www-data www-data 36 Aug 2 19:49 bartekflis
    drwx------ 4 www-data www-data 36 Jul 18 04:55 chomik
    ...


    --
    Dariush Pietrzak,
    Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
    --
    Sergio

    Q: What's the difference between the 1950's and the 1980's?
    A: In the 80's, a man walks into a drugstore and states loudly, "I'd
    like some condoms," and then, leaning over the counter, whispers,
    "and some cigarettes."


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)