Re: "setuid(UID)" and "chmod 4550" misbehaving

To: debian-user@lists.debian.org
Subject: Re: "setuid(UID)" and "chmod 4550" misbehaving
From: Kevin Mark <kevin.mark@verizon.net>
Date: Fri, 20 Oct 2006 23:38:12 -0400
Message-id: <[🔎] 20061021033812.GA6385@localhost>
Mail-followup-to: Kevin Mark <kevin.mark@verizon.net>, debian-user@lists.debian.org
In-reply-to: <[🔎] 9b9224910610201125p4a83942aq4b016596a7bc3f53@mail.gmail.com>
References: <[🔎] 9b9224910610201125p4a83942aq4b016596a7bc3f53@mail.gmail.com>

On Fri, Oct 20, 2006 at 08:25:03PM +0200, Eugenio Jordán González wrote:
> Hi:
> 
> I know it's already pretty late to try to provide some hints on this issue, but
> didn't like to miss the chance in case some other people might hit same issue
> in the future.
> 
> Provided plugin for Squirrelmail + Cyrus + SASL uses, as per code, a call to
> saslpasswd2 binary. In fact, it's writing a Berkely DB file, usually /etc/
> sasldb2. Depending upon your configuration, by default:
> 
> XXX:/var/log/httpd # ls -l /etc/sasldb2
> -rw-r--r--  1 root root 45056 Oct 20 20:00 /etc/sasldb2
> 
> Well, with such permissons and ownership, cyrus will not be able to run
> saslpasswd2 successfully. cyrus user belongs in default installations to group
> mail, as well as root, but notice root:root assign! This causes saslpasswd2 to
> fail. Try then:
> 
> XXX:/var/log/httpd # ls -l /etc/sasldb2
> -rw-rw-r--  1 root mail 45056 Oct 20 20:00 /etc/sasldb2
> 
> This has worked for me. But:
> 
> wwwrun@XXX:/XXX_DIR> ./chgsaslpasswd -p foo
> oof
> chgsaslpasswd: generic failure
> 
> It makes sense, right?
> 
> XXX:/XXX # usermod -G 12 wwwrun
> XXX:/XXX # su wwwrun
> wwwrun@XXX:/XXX> id
> uid=30(wwwrun) gid=8(www) groups=8(www),12(mail)
> wwwrun@XXX:/XXX>  ./chgsaslpasswd -p foo
> oof
> 
> , and it works! At least for me. Of course, it implies a risk for your system
> security. You could use sudo to try to reduce the impact.
> 
> Hope this might help anyone else.
> 
> P.D.: As a matter of fact, wwwrun's shell is set to /bin/false by default. Had
> to temporarily to "runnable" shell.
Hi Eugenio,
Have you filed this information and fix as a bug report against sasl
and/or squirrelmain, because this would appear to be very important and
valueable info for the maintiners!
cheers,
Kev
-- 
|  .''`.  == Debian GNU/Linux == |       my web site:       |
| : :' :      The  Universal     | debian.home.pipeline.com |
| `. `'      Operating System    | go to counter.li.org and |
|   `-    http://www.debian.org/ |    be counted! #238656   |
|     my keysever: pgp.mit.edu   |     my NPO: cfsg.org     |

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: "setuid(UID)" and "chmod 4550" misbehaving
  - From: "Roberto C. Sanchez" <roberto@connexer.com>

References:
- Re: "setuid(UID)" and "chmod 4550" misbehaving
  - From: "Eugenio Jordán González" <eugenio.jordangonzalez@gmail.com>

Prev by Date: G965 Chipset & ICH8 Southbridge Support
Next by Date: Re: G965 Chipset & ICH8 Southbridge Support
Previous by thread: Re: "setuid(UID)" and "chmod 4550" misbehaving
Next by thread: Re: "setuid(UID)" and "chmod 4550" misbehaving
Index(es):
- Date
- Thread