Re: [SM-PLUGINS] server side filter plugin problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, Jun 27, 2013 at 12:36 AM, Bu Xiaobing <bus...@gm...> wrote:
> On 2013-6-27 15:14, Paul Lesniewski wrote:
>> On Thu, Jun 27, 2013 at 12:09 AM, Bu Xiaobing <bus...@gm...> wrote:
>>> On 2013-6-25 7:14, Paul Lesniewski wrote:
>>>>> I think the problem with setgroups(0, NULL): Operation not permitted has
>>>>> been resolved.
>>>>
>>>> If you don't say *how* -- explain carefully what you changed, what
>>>> your current settings are, then you leave us to guess.  This is
>>>> frustrating and you are less likely to receive any help this way.
>>>>
>>>>> At the first time I set
>>>>> 'SUID_LOCATION'  => array('VALUE' =>
>>>>> '/var/www/html/webmail/plugins/server_settings_backend/suid_backend/squirrelmail_server_settings_suid_backend'),
>>>>>
>>>>> I find in the /var/www/html/webmail/plugins/server_settings_backend also has
>>>>> a squirrelmail_server_settings_suid_backend, and the file permission is
>>>>> -rwsr-xr-x.
>>>>>
>>>>> So I change the SUID_LOCATION value to
>>>>> /var/www/html/webmail/plugins/server_settings_backend/squirrelmail_server_settings_suid_backend
>>>>
>>>> The only examples I can find point to the server_settings_backend
>>>> directory.  The copy of the suid_wrapper in the suid_backend directory
>>>> shouldn't be used in your configuration.  (I believe this is your
>>>> oversight, unless you can point out where there was a misleading
>>>> example.)
>>>>
>>>>> But get another error "Remote file name cannot contain "/"" in the
>>>>> /var/log/httpd/error_log.
>>>>
>>>> This is good in general.  If you really need directory traversal
>>>> (why?), read the docs on how to compile the suid wrapper.  And once
>>>> again, READ THE DOCS **BEFORE** you ask for help.
>>>>
>>>>> And if I set "$ssf_debug_server_settings_backend = 1" in the
>>>>> server_side_filters/config.php, and after I click "Options->Message Filters"
>>>>> on the web browser, the web page only display the following message:
>>>>>
>>>>> Unable to retrieve file from command
>>>>> "/var/www/html/webmail/plugins/server_settings_backend/squirrelmail_server_settings_suid_backend
>>>>> 'localhost' 'buxiaobing' 'get_file' '/home/buxiaobing/.mailfiter'
>>>>> '/var/local/squirrelmail/attach/xo4HqZ6WpSq6iUazfx1TLAmw3SEg6p9D'"
>>>>>
>>>>> Can't understand why will it retrieve the
>>>>> /var/local/squirrelmail/attach/xo4HqZ6WpSq6iUazfx1TLAmw3SEg6p9D file and
>>>>> this file is not exist.
>>>>>
>>>>>
>>>>> Bu Xiaobing
>>>>
>>>>
>>>>
>>>
>>> Thanks for your help. I read the server_settings_backend/docs/SUID_BACKEND_ERRORS
>>> and find the problems and it works now!
>>
>> Thanks for reading the docs.  I'd just caution you again *against*
>> allowing directory traversal.  There is no reason you should need that
>> and it is less secure.
>>
>
> Do you mean I should not use SUID backend?

I never said such a thing.

> For now, I need SUID to save a kickoff file .forward
> which contains "|exec /usr/bin/procmail || exit 75" at /home/USER,

Let the wrapper obtain the user home directory.  The SquirrelMail side
(the filters plugin) should only pass the name of the file (.forward)
and no path information.

> So I can invoke procmail to do filter. And I compiled SUID
> with --enable-auth=imap to do authentication.

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php