From wesley@terpstra.ca Mon Sep 21 18:29:17 2009 Received: from sfi-mx-1.v28.ch3.sourceforge.com ([172.29.28.121] helo=mx.sourceforge.net) by 235xhf1.ch3.sourceforge.com with esmtp (Exim 4.69) (envelope-from ) id 1MpndV-0006BB-Rp for lurker-users@lists.sourceforge.net; Mon, 21 Sep 2009 18:29:17 +0000 X-ACL-Warn: Received: from mail-ew0-f207.google.com ([209.85.219.207]) by 29vjzd1.ch3.sourceforge.com with esmtp (Exim 4.69) id 1MpndI-0002VC-Ev for lurker-users@lists.sourceforge.net; Mon, 21 Sep 2009 18:29:12 +0000 Received: by ewy3 with SMTP id 3so291020ewy.33 for ; Mon, 21 Sep 2009 11:28:57 -0700 (PDT) MIME-Version: 1.0 Received: by 10.210.101.1 with SMTP id y1mr3477678ebb.60.1253557737756; Mon, 21 Sep 2009 11:28:57 -0700 (PDT) In-Reply-To: <20090921121050.22b934fb@buffy.phorce1.net> References: <20090918121221.32fb0bf2@buffy.phorce1.net> <4AB3D47B.40405@email.it> <20090918200132.754e488a@buffy.phorce1.net> <162de7480909191249v20605529vdf911a545a32e651@mail.gmail.com> <20090920174711.52f4e8eb@buffy.phorce1.net> <162de7480909210643x69bd7c78k1e0a2f3687d401d4@mail.gmail.com> <20090921121050.22b934fb@buffy.phorce1.net> Date: Mon, 21 Sep 2009 20:28:57 +0200 Message-ID: <162de7480909211128q6a676a7eyb262268fb0d6fe0@mail.gmail.com> From: "Wesley W. Terpstra" To: lurker-users@lists.sourceforge.net Content-Type: multipart/alternative; boundary=001517441338aa18ce04741aa774 X-Spam-Score: 1.7 (+) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 1.0 HTML_MESSAGE BODY: HTML included in message 0.7 AWL AWL: From: address is in the auto white-list X-Headers-End: 1MpndI-0002VC-Ev Subject: Re: [Lurker-users] Permissions errors X-BeenThere: lurker-users@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Lurker Project Support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Sep 2009 18:29:17 -0000 --001517441338aa18ce04741aa774 Content-Type: text/plain; charset=ISO-8859-1 On Mon, Sep 21, 2009 at 7:10 PM, Gerald Livingston < gerald.lurker@sysmatrix.net> wrote: > > Interesting. Perhaps it's setuid? Or perhaps there is a setting > > somewhere else that instructs the MDA to setuid for it. > > -rwsr-xr-x 1 ecartis daemon 199880 2006-04-14 > 18:36 /usr/lib/ecartis/ecartis > > Is there a security reason that lurker is not setuid? > Well, err, yes. If the program is setuid you can run it as any user to take action on the database. If you made lurker-index setuid, it would work too, but then any user on the system could run lurker-index to put new mail into your archive. IMO the ecartis "solution" is an egregious hack. Better is to find out how to tell your MDA which user to run as. It must be possible since your MDA is running procmail as the target user. Find out how it invokes procmail. That's how you want to invoke lurker. --001517441338aa18ce04741aa774 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Mon, Sep 21, 2009 at 7:10 PM, Gerald Livingst= on <ger= ald.lurker@sysmatrix.net> wrote:
> Interesting. Perhaps it's setuid? Or perhap= s there is a setting
> somewhere else that instructs the MDA to setuid for it.

-rwsr-xr-x 1 ecartis daemon 199880 2006-04-14
18:36 /usr/lib/ecartis/ecartis

Is there a security reason that lurker is not setuid?
=
Well, err, yes. If the program is setuid you can run it as any user to = take action on the database. If you made lurker-index setuid, it would work= too, but then any user on the system could run lurker-index to put new mai= l into your archive.

IMO the ecartis "solution" is an egregious hack.

Better is to find out how to tell your MDA which user to run as. It = must be possible since your MDA is running procmail as the target user. Fin= d out how it invokes procmail. That's how you want to invoke lurker.
--001517441338aa18ce04741aa774--