Qmail-scanner Permission in /var/spool/qmailscan/ [Archive]

View Full Version : Qmail-scanner Permission in /var/spool/qmailscan/

wget

02-13-2004, 06:48 AM

I have a Slackware 9.1 box. To install qmail scanner I've used:

tar -xzf qmail-scanner-1.20.tgz
cd qmail-scanner-1.20
groupadd qscand
useradd -c "Qmail-Scanner Account" -g qscand -s /bin/false qscand

./configure --admin postmaster --domain yourdomain.com --notify sender,admin,recips --local-domains yourdomain.com --install

cd contrib
make
make install
chmod 0755 /var/qmail/bin/qmail-scanner-queue.pl # (This removes any suid on the file)

# I've removed the 'taint' option in perl: the -T in the first line. from /var/qmail/bin/qmail-scanner-queue.pl

Qmail works with qmail-scanner only when I set a full permission in /var/spool/qmailscan to all users.

After I run "setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl -g" the permission in /var/spool/qmailscan/ is changed and my qmail respound with "451 qq temporary problem (#4.3.0)"

Which user must have the permission (read/write/execute/) in var /var/spool/qmailscan/ ?

Is not unsafe to have full permission for all users in /var/spool/qmailscan/ ?

Here is ls -l /var/spool/qmailscan:

-rw-rw-rw- 1 root root 2140369 Feb 13 11:39 qmail-queue.log
-rwxrwxrwx 1 qscand qscand 35 Feb 12 21:19 qmail-scanner-queue-version.txt
drwxrwxrwx 5 qscand qscand 120 Feb 12 21:18 quarantine
-rw-rw-rw- 1 qscand qscand 12288 Feb 12 21:19 quarantine-attachments.db
-rwxrwxrwx 1 qscand qscand 5016 Feb 12 21:37 quarantine-attachments.txt
-rw-rw-rw- 1 qscand qscand 2741 Feb 13 10:25 quarantine.log
drwxrwxrwx 2 qscand qscand 48 Feb 13 11:39 tmp
lrwxrwxrwx 1 qscand qscand 31 Feb 12 21:18 viruses -> /var/spool/qmailscan/quarantine
lrwxrwxrwx 1 qscand qscand 35 Feb 12 21:18 viruses.log -> /var/spool/qmailscan/quarantine.log
drwxrwxrwx 5 qscand qscand 120 Feb 12 21:18 working

legend

02-18-2004, 04:29 AM

uhm well, i guess you're using vpopmail as well.

Then do this : chown -R vpopmail.vchkpw /var/spool/qmailscan

AFter that, it should run. The system does use the vpopmail identity when scanning the mail with qmailscanner....

The point is, the user vpopmail needs to be able to read the configs and write to the log file. Besides that, it must be able to write the mail in working, so it should have write there too.

cheers

wget

02-20-2004, 10:51 PM

Thank you legend.
It works

Bookworm

02-23-2004, 11:21 PM

I haven't dug deeply into it, but it looks like part of the problem is the failure to use the qmail-scanner-queue wrapper.

the line in /var/qmail/services/qmail-smtpd/run shouldn't be

/var/qmail/bin/qmail-scanner-queue.pl

I believe it should be

/var/qmail/bin/qmail-scanner-queue - after doing the wrapper, removing the suid bit, and the taint option.

I'll know more in the next couple of days.

BW

legend

02-25-2004, 02:05 PM

ok, thx for ack :)