On Fri, Oct 20, 2006 at 11:38:12PM -0400, Kevin Mark wrote: > On Fri, Oct 20, 2006 at 08:25:03PM +0200, Eugenio Jordán González wrote: > > Hi: > > > > I know it's already pretty late to try to provide some hints on this issue, but > > didn't like to miss the chance in case some other people might hit same issue > > in the future. > > > > Provided plugin for Squirrelmail + Cyrus + SASL uses, as per code, a call to > > saslpasswd2 binary. In fact, it's writing a Berkely DB file, usually /etc/ > > sasldb2. Depending upon your configuration, by default: > > > > XXX:/var/log/httpd # ls -l /etc/sasldb2 > > -rw-r--r-- 1 root root 45056 Oct 20 20:00 /etc/sasldb2 > > > > Well, with such permissons and ownership, cyrus will not be able to run > > saslpasswd2 successfully. cyrus user belongs in default installations to group > > mail, as well as root, but notice root:root assign! This causes saslpasswd2 to > > fail. Try then: > > > > XXX:/var/log/httpd # ls -l /etc/sasldb2 > > -rw-rw-r-- 1 root mail 45056 Oct 20 20:00 /etc/sasldb2 > > > > This has worked for me. But: > > > > wwwrun@XXX:/XXX_DIR> ./chgsaslpasswd -p foo > > oof > > chgsaslpasswd: generic failure > > > > It makes sense, right? > > > > XXX:/XXX # usermod -G 12 wwwrun > > XXX:/XXX # su wwwrun > > wwwrun@XXX:/XXX> id > > uid=30(wwwrun) gid=8(www) groups=8(www),12(mail) > > wwwrun@XXX:/XXX> ./chgsaslpasswd -p foo > > oof > > > > , and it works! At least for me. Of course, it implies a risk for your system > > security. You could use sudo to try to reduce the impact. > > > > Hope this might help anyone else. > > > > P.D.: As a matter of fact, wwwrun's shell is set to /bin/false by default. Had > > to temporarily to "runnable" shell. > Hi Eugenio, > Have you filed this information and fix as a bug report against sasl > and/or squirrelmain, because this would appear to be very important and > valueable info for the maintiners! Hmm. I am part of the cyrus-sasl maintenance team and we are desperately trying to get away from the current packages since they have essentially been unmaintained for over two years. We just uploaded the new 2.1.22 packages to experimental about 24 hours ago. Anyhow, on my system, /etc/sasldb2 has mode 660 and ownership root:sasl. Though, I don't use cyrus for mail anymore since having switched to courier. Anyhow, I seem to recall that cyrus was in group sasl or you had to add to it manually since it was a security risk. Out of curiousity, what/who is user wwwrun and where did it come from? Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature