Date: Fri, 31 Aug 2007 22:00:07 GMT From: "Internet Partners, Inc. Tech Support" <support@ipinc.net> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/115957: Questionable ownership and security on dspam port Message-ID: <200708312200.l7VM079D050917@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/115957; it has been noted by GNATS. From: "Internet Partners, Inc. Tech Support" <support@ipinc.net> To: <bug-followup@FreeBSD.org> Cc: Subject: Re: ports/115957: Questionable ownership and security on dspam port Date: Fri, 31 Aug 2007 14:19:20 -0700 send-pr ate the first part of this PR so here's the rest: The Dspam port in /usr/ports/mail/dspam by default installs with the following options: DSPAM_HOME_OWNER=root DSPAM_HOME_OWNER=mail It also sets up the webUI to run suexec. THe problem here is that under Apache 1.3 the suexec header has a minimum UID and GIU in it's header of 100 This makes it impossible to run the dspam webUI. If you try running the webUI under a dspam user above 100, then it can't read /var/db/dspam/data directories. If you try running the webUI under a GID of mail, suexec won't allow it to run. The ideal thing from a security standpoint would be for the dspam port to install with DSPAM_HOME_OWNER and DSPAM_HOME_OWNER both set to username dspam, and have the port create that UID and GID on the system. That is how the port USED to work. I don't know why the maintainer changed it. If for some reason dspam must run with root UID in order to work with mail, then the port should check the minimum GID in suexec with a test program, and issue an error to the admin to recompile suexec with a minimum GID of 5, then the apache entry for the port then runs the dspam vhost web UI under the mail group.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708312200.l7VM079D050917>