Line 0
Link Here
|
|
|
1 |
|
2 |
######################################################################### |
3 |
NOTES FOR RUNNING COURIERPASSWD |
4 |
|
5 |
In order to use courierpasswd, it must be able to access the |
6 |
authdaemon domain socket, named 'socket'. When courierpasswd runs as |
7 |
root, this presents no problem. However, if you need to run courierpasswd |
8 |
as a non-root user, you have three options, all of which require some |
9 |
manual work. |
10 |
|
11 |
Option 1: Add the user courierpasswd will run as to the group that |
12 |
owns the authdaemon socket directory in /etc/group. More than one user |
13 |
can be added to the group vector in this way. This arrangement works |
14 |
well if courierpasswd will be run by only a small number of users. |
15 |
If the authdaemon socket directory is owned by courier:courier and you |
16 |
run courierpasswd as user vmail, your /etc/group file will have a line |
17 |
something like this: |
18 |
|
19 |
courier:x:465:vmail |
20 |
|
21 |
Option 2: Some programs, such as tcpserver, allow you to separately set |
22 |
the uid and gid of programs they call but don't honour the group vector |
23 |
found in /etc/group. If you invoke courierpasswd from such a program, |
24 |
set the gid to the group ownership of the authdaemon socket directory. |
25 |
For tcpserver, you could do something like this: |
26 |
|
27 |
#!/bin/sh |
28 |
|
29 |
QMAILUID=`/usr/bin/id -u qmaild` |
30 |
COURIERGID=`/usr/bin/id -g courier` |
31 |
|
32 |
exec /usr/local/bin/tcpserver -u "$QMAILUID" -g "$COURIERGID" \ |
33 |
0 smtp /var/qmail/bin/qmail-smtpd /usr/local/sbin/courierpasswd -- \ |
34 |
/usr/bin/true 2>&1 |
35 |
|
36 |
Option 3: Change the permissions on courierpasswd to set gid to the |
37 |
group ownership of the socket directory. Again, if the socket directory |
38 |
is owned by courier:courier, change the ownership and permissions |
39 |
of courierpasswd like so: |
40 |
|
41 |
chgrp courier courierpasswd |
42 |
chmod g+s courierpasswd |
43 |
|
44 |
Be aware that courierpasswd does not provide any max-failed-retry |
45 |
functionality so it is possible for local users to perform dictionary |
46 |
attacks against account passwords if courierpasswd is set up this way. |
47 |
|
48 |
The location of the authdaemon domain socket is listed in the |
49 |
authdaemonrc configuration file as the parameter authdaemonvar. |
50 |
|
51 |
######################################################################### |
52 |
|