OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alex van den Bogaerdt (alexergens.op.HET.NET)
Date: Thu Jul 04 2002 - 18:06:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    I've spent hours (yes, really) searching for an answer and have found
    only questions and parts of answers.

    To show that I understand at least part of the problem *and* that
    I know about unix file permissions(...), I included a patch that solves
    my problem (but probably is not secure enough to make it into postfix).

    Problem:
    When trying to use maildir, I almost got it working. The only problem
    that I can see is that I have to manually create /var/spool/mail/$user/
    or else mail cannot be delivered. Using procmail didn't work for me
    either but I must admit I may have overlooked something there.

    When the local delivery program runs, it runs with the effective uid
    of the user mail is delivered to. This user is not allowed to create
    a directory in /var/spool/mail.

    After applying the patch, postfix will create the "base directory"
    as user root and only then changes uid to the user. Of course that
    means I may have introduced a security treat so don't try this at home.

    Please comment on this. If you know I overlooked something important
    and/or if you know where to find useful information (such as as an actual
    answer to this very frequently asked-but-not-answered problem) please
    tell me.

    If there's a good reason not to create the directory as I did in my
    patch (but then implemented right of course) I'd very much like to
    know.

    regards,
    Alex

    Patch for /usr/src/postfix-1.1.7/src/local/maildir.c :

    --- maildir.c.original_version Tue Nov 27 16:43:47 2001
    +++ maildir.c Fri Jul 5 00:27:10 2002
    -125,6 +125,20
          * process started, and count is the number of messages you've
          * delivered."
          */
    +
    +#define MYHACK
    +#ifdef MYHACK
    + /*
    + * Ugly hack to make things work. "Create any missing directories on
    + * the fly" cannot be done while delivering in /var/spool/mail ...
    + */
    + set_eugid(0, 0);
    + if (make_dirs(path, 0700)<0) {
    + vstring_sprintf(why, "create spooldir/$user %s: %m", path);
    + } else {
    + chown(path,usr_attr.uid, usr_attr.gid);
    +#endif
    +
     #define STR vstring_str
     
         set_eugid(usr_attr.uid, usr_attr.gid);
    -151,6 +165,9
             if (unlink(tmpfile) < 0)
                 msg_warn("remove %s: %m", tmpfile);
         }
    +#ifdef MYHACK
    + }
    +#endif
         set_eugid(var_owner_uid, var_owner_gid);
     
         /*
    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users