On 11/8/06, Martin Schweizer <schweizer.martin@xxxxxxxxx> wrote: > Hello Paul > > 2006/11/8, Paul Lesniewski <paul@xxxxxxxxxxxxxxxx>: > > > > > > > I use the following system: > > > > > > > > > > > > > > - FreeBSD 6.1 > > > > > > > - Sendmail > > > > > > > - Cyrus Imap > > > > > > > - Squirrelmail 1.48 (incl. plugin Change SASL Password ) > > > > > > > > > > > > > > As described in the Readme and in chgsaslpasswd.c > > > > > > > file (from the plugin directory) I set the following: > > > > > > > > > > > > > > > > > > > > > chgsaslpasswd.c > > > > > > > ******************* > > > > > > > ... > > > > > > > #define UID 60 > > > > > > > ... > > > > > > > > > > > > > > (UID 60 is the user cyrus) > > > > > > > > > > > > > > > > > > > > > chgsaslpasswd (compiled version) > > > > > > > *************************************** > > > > > > > - chmod to 4550 > > > > > > > - chown to cyrus:www > > > > > > > > > > > > > > (www is the apache group) > > > > > > > > > > > > > > -r-sr-x--- 1 cyrus www 5167 20 Okt 11:52 chgsaslpasswd > > > > > > > > > > > > > > > > > > > > > /usr/local/etc/sasldb2.db > > > > > > > *************************** > > > > > > > -rw-r--r-- 1 root cyrus 24576 20 Okt 11:46 sasldb2.db > > > > > > > > > > > > > > > > > > > > > With the above rights it will not work (these are the defaults). If I > > > > > > > set these to > > > > > > > > > > > > > > -rw-r--rw- 1 root cyrus 24576 20 Okt 11:46 sasldb2.db > > > > > > > > > > > > > > then it works (but is security hole). > > > > > > > > > > > > Well, if chgsaslpasswd is supposed to suid to cyrus, then rw-r--r-- > > > > > > root:cyrus should NOT have ability to change passwords, as expected. > > > > > > Why didn't you try rw-rw-r-- (664)? I dunno who else needs to see > > > > > > this file, but if you can get away with it, rw-rw---- (660) is even > > > > > > more secure. > > > > > > > > > > I'm very confused because it's not running. Here my details: > > > > > > > > > > In chgsaslpasswd.c I defined as > > > > > #define UID 60 > > > > > #define CMD "/usr/local/bin/sudo -u root /usr/local/sbin/saslpasswd2 > > > > > (in sudoers is root defined as allowed all, I also tested this string > > > > > as a normal shell user and it works) > > > > > > > > > > or > > > > > #define UID 60 > > > > > #define CMD "/usr/local/sbin/saslpasswd2" > > > > > > > > > > both is not working. > > > > > > > > > > sasldb2.db is not working with > > > > > -rw-rw---- 1 root cyrus 24K 3 Nov 16:53 sasldb2.db > > > > > > > > > > it's working only with -rw-rw--w- but the strange issue is that the > > > > > group cyrus has the members > > > > > > > > > > acsvfbsd04# pw show group cyrus > > > > > cyrus:*:60:cyrus,www > > > > > > > > Why is www in cyrus group??? > > > > > > > > > and httpd is running as user www (and group www). > > > > > > > > > > As which user does chgsaslpasswd running? The rights are > > > > > -rwxr-xr-x 1 root wheel 3,3K 3 Nov 17:30 chgsaslpasswd (I will > > > > > set the rights discribed in the Readme later). > > > > > > > > Umm, of course it doesn't work if you do this *later*. Please follow > > > > the README and INSTALL instructions in FULL before posting. > > > > > > Probably you missunderstood my comments. Of course I followed Readme > > > and install but I also tested chgsaslpasswd with > > > -rwxrwxrwx 1 root www 3368 8 Nov 08:19 chgsaslpasswd > > > too. Both with no success. > > > > This will never will work; it does not have suid permission. > > > > > Now I have > > > -rw-rw---- 1 root cyrus 24576 8 Nov 08:09 sasldb2.db > > > > Try: > > > > chown cyrus:root sasldb2.db > > > > while leaving permissions as above. > > > > > (I cross checked the rights with the user cyrus which can set password > > > with saslpasswd2) > > > and > > > -r-sr-x--- 1 root www 3368 8 Nov 08:19 chgsaslpasswd > > > > Revert to what the Readme file tells you to: > > > > -r-sr-x--- 1 cyrus www 3368 8 Nov 08:19 chgsaslpasswd > > > > > and > > > acsvfbsd04# pw show group cyrus > > > cyrus:*:60:cyrus,www > > > > You do NOT want www in your cyrus group. Period. > > > > > and > > > #define UID 60 (the cyrus one's) > > > > > > This does not work unless I set #define UID to 0 (the root one's). > > > > > > Any ideas are welcome. > > > > You can get the script's error output if you run it from the command line: > > > > /usr/local/bin/sudo -u www chgsaslpasswd -p <username> > > <password> > > I did the above without success. The output from /usr/local/bin/sudo > -u www chgsaslpasswd -p <username> is a empty line (no messages) but > the password wil not change on sasldb2.db. Show the return value of the script by doing this immediately after runinng it: echo $? You can also put debugging output in the suid script. Have it print out the UID after it changes users. Also, did you contact the plugin author to see if he can help? Show your current ownership/permissions on all files again if you would. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
