[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Two Kmail users in one X session



On Thu, Mar 14, 2002 at 02:21:13PM +0200, Jarno Elonen wrote:
...
> 
> I'm trying to make a shortcut/script/program that would start Kmail as 
> another user (and thus open the corresponding mailbox) in my own KDE session 
> without having to type in the password.
> 
> My latest attempt was a 'SUID user2' program in C:
> 
>  Hinclude <unistd.h>
>  int main () {
>    putenv("HOME=/home/user2");
>    system("/usr/bin/kmail");
>    puts("Done.");
>  }
> 
> This apparently doesn't set all the environment variables correctly:
> 
...
> Any better ideas on how to implement this?
...
Hi

I am sorry to say, that all the methods proposed on this thread
are quite insecure, as they all allow user1 (and any virus/trojan
programs running as user1) to perform any and all commands as
user2.

rsh, ssh and friends all do this explicitly.

Your fine little program would be ok, if it did several extra steps
(like setruid, setrgid, filtering the environment, etc.).

Personally, I would recommend that you install super and add this
to your super.tab

user2mail          "/usr/bin/kmail" nargs=0 u+g=user2 user1

also do

# ln -s /usr/bin/super /usr/local/bin/user2mail

then user1 can run KMail as user2 by simply running
$ user2mail

super does all the nasty security checks for you, without asking
about passwords etc.  The only security hole left is, that you can
probably use the menus in KMail to run programs as user2.

An entirely different option would be if kmail has a command to
open additional mailbox files.  Then you could place a line in
/home/user2/.forward which moves all the mail to
/home/user2/mailbox2, which you then grant user1 rw access to.

Happy computing

Jakob


-- 
This message is hastily written, please ignore any unpleasant wordings,
do not consider it a binding commitment, even if its phrasing may
indicate so. Its contents may be deliberately or accidentally untrue.
Trademarks and other things belong to their owners, if any.

Attachment: pgpKREJow7vBg.pgp
Description: PGP signature


Reply to: