On 11/8/06, Paul Lesniewski <paul@xxxxxxxxxxxxxxxx> wrote: > On 11/8/06, Martin Schweizer <schweizer.martin@xxxxxxxxx> wrote: > > Hello Paul > > > > 2006/11/8, Paul Lesniewski <paul@xxxxxxxxxxxxxxxx>: > > > > > > > > I use the following system: > > > > > > > > > > > > > > > > - FreeBSD 6.1 > > > > > > > > - Sendmail > > > > > > > > - Cyrus Imap > > > > > > > > - Squirrelmail 1.48 (incl. plugin Change SASL Password ) > > > > > > > > > > > > > > > > As described in the Readme and in chgsaslpasswd.c > > > > > > > > file (from the plugin directory) I set the following: > > > > > > > > > > > > > > > > > > > > > > > > chgsaslpasswd.c > > > > > > > > ******************* > > > > > > > > ... > > > > > > > > #define UID 60 > > > > > > > > ... > > > > > > > > > > > > > > > > (UID 60 is the user cyrus) > > > > > > > > > > > > > > > > > > > > > > > > chgsaslpasswd (compiled version) > > > > > > > > *************************************** > > > > > > > > - chmod to 4550 > > > > > > > > - chown to cyrus:www > > > > > > > > > > > > > > > > (www is the apache group) > > > > > > > > > > > > > > > > -r-sr-x--- 1 cyrus www 5167 20 Okt 11:52 chgsaslpasswd > > > > > > > > > > > > > > > > > > > > > > > > /usr/local/etc/sasldb2.db > > > > > > > > *************************** > > > > > > > > -rw-r--r-- 1 root cyrus 24576 20 Okt 11:46 sasldb2.db > > > > > > > > > > > > > > > > > > > > > > > > With the above rights it will not work (these are the defaults). If I > > > > > > > > set these to > > > > > > > > > > > > > > > > -rw-r--rw- 1 root cyrus 24576 20 Okt 11:46 sasldb2.db > > > > > > > > > > > > > > > > then it works (but is security hole). > > > > > > > > > > > > > > Well, if chgsaslpasswd is supposed to suid to cyrus, then rw-r--r-- > > > > > > > root:cyrus should NOT have ability to change passwords, as expected. > > > > > > > Why didn't you try rw-rw-r-- (664)? I dunno who else needs to see > > > > > > > this file, but if you can get away with it, rw-rw---- (660) is even > > > > > > > more secure. > > > > > > > > > > > > I'm very confused because it's not running. Here my details: > > > > > > > > > > > > In chgsaslpasswd.c I defined as > > > > > > #define UID 60 > > > > > > #define CMD "/usr/local/bin/sudo -u root /usr/local/sbin/saslpasswd2 > > > > > > (in sudoers is root defined as allowed all, I also tested this string > > > > > > as a normal shell user and it works) > > > > > > > > > > > > or > > > > > > #define UID 60 > > > > > > #define CMD "/usr/local/sbin/saslpasswd2" > > > > > > > > > > > > both is not working. > > > > > > > > > > > > sasldb2.db is not working with > > > > > > -rw-rw---- 1 root cyrus 24K 3 Nov 16:53 sasldb2.db > > > > > > > > > > > > it's working only with -rw-rw--w- but the strange issue is that the > > > > > > group cyrus has the members > > > > > > > > > > > > acsvfbsd04# pw show group cyrus > > > > > > cyrus:*:60:cyrus,www > > > > > > > > > > Why is www in cyrus group??? > > > > > > > > > > > and httpd is running as user www (and group www). > > > > > > > > > > > > As which user does chgsaslpasswd running? The rights are > > > > > > -rwxr-xr-x 1 root wheel 3,3K 3 Nov 17:30 chgsaslpasswd (I will > > > > > > set the rights discribed in the Readme later). > > > > > > > > > > Umm, of course it doesn't work if you do this *later*. Please follow > > > > > the README and INSTALL instructions in FULL before posting. > > > > > > > > Probably you missunderstood my comments. Of course I followed Readme > > > > and install but I also tested chgsaslpasswd with > > > > -rwxrwxrwx 1 root www 3368 8 Nov 08:19 chgsaslpasswd > > > > too. Both with no success. > > > > > > This will never will work; it does not have suid permission. > > > > > > > Now I have > > > > -rw-rw---- 1 root cyrus 24576 8 Nov 08:09 sasldb2.db > > > > > > Try: > > > > > > chown cyrus:root sasldb2.db > > > > > > while leaving permissions as above. > > > > > > > (I cross checked the rights with the user cyrus which can set password > > > > with saslpasswd2) > > > > and > > > > -r-sr-x--- 1 root www 3368 8 Nov 08:19 chgsaslpasswd > > > > > > Revert to what the Readme file tells you to: > > > > > > -r-sr-x--- 1 cyrus www 3368 8 Nov 08:19 chgsaslpasswd > > > > > > > and > > > > acsvfbsd04# pw show group cyrus > > > > cyrus:*:60:cyrus,www > > > > > > You do NOT want www in your cyrus group. Period. > > > > > > > and > > > > #define UID 60 (the cyrus one's) > > > > > > > > This does not work unless I set #define UID to 0 (the root one's). > > > > > > > > Any ideas are welcome. > > > > > > You can get the script's error output if you run it from the command line: > > > > > > /usr/local/bin/sudo -u www chgsaslpasswd -p <username> > > > <password> > > > > I did the above without success. The output from /usr/local/bin/sudo > > -u www chgsaslpasswd -p <username> is a empty line (no messages) but > > the password wil not change on sasldb2.db. > > Show the return value of the script by doing this immediately after runinng it: > > echo $? You have to include this inside the sudo otherwise it will echo the status of the sudo command which is not useful. > You can also put debugging output in the suid script. Have it print > out the UID after it changes users. Also, did you contact the plugin > author to see if he can help? > > Show your current ownership/permissions on all files again if you would. > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
