[sork] vpopmail driver for passwd

Eric Rostetter eric.rostetter@physics.utexas.edu
Sat, 27 Jul 2002 11:02:56 -0500


Quoting Dan Wilson <dan@acucore.com>:

> Eric,
> 
> Ok... so we got it working, but there are some serious issues.

Well, lets see if we can't address some of those... ;)

> The vpopmail extension for PHP requires very specific file permissions.  
> Basically, the most secure way to run the vpopmail functions are to have your
> webserver running under the vpopmail user.

Sounds reasonable.  (I wish the vpopmail extensions were documented/supported --
that would help a lot)

> Of course, we couldn't do that because of other file permission issues, so we
> created another instance of apache which runs under the correct user 
> [vpopmail] and group [vchkpw] and of course, a different port.  This instance

Can you share why you couldn't run it under the vpopmail user and/or group?
If it is sensitive info, don't bother...  But I'd like to know why you couldn't
just run it under the vpopmail user/group.

Other options to consider:

* run php as a cgi script, running under the required user/group
* dump the php extensions, and do it with system commands via system/exec/etc.
* write a poppassd daemon as you note in your ps below.

> of apache only has access to a specific directory which contains a 
> file "vpopmail_passwd.php" which has one purpose.... it takes parameters 
> passed to it and calls the vpopmail_passwd function.

Hopefully you protect that web server somehow?  (only accept connections from
localhost, etc)
 
> We have created a driver for the passwd module, which then calles this file,
> passing the correct parameters.
> 
> We realize that this is a complete hack, but it is a solution.  Unless
> someone 
> has a better solution, this is what we can contribute to the project (along 
> with a serious README).
> 
> What do you think?

Sounds a bit promising.  We can discuss things more, and see what happens.

> -Dan
> 
> PS.  We did toss around the idea of taking advantage of vpopmail's
> open-source 
> and creating a vpopmail daemon for changing passwords, etc.  Of course, that

You could modify a poppassd server to support vpopmail.  Shouldn't be too
hard.  I'd be willing to help.  Basically just get an old poppassd server
that calls the system command passwd, and change it to the vpopmail passwd
command...

> would take much longer to implement, but we are still considering it.

Might not be as hard as you think!  Or, could be, depending on how you 
go about it.  A modified poppassd should be rather easy.  Writing a new
routine from scratch could be much harder and take much longer... ;)

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

"TAD (Technology Attachment Disorder) is an unshakable, impractical devotion
to a brand, platform, product line, or programming language. It's relatively
harmless among the rank and file, but when management is afflicted the damage
can be measured in dollars. It's also contagious -- someone with sufficient
political clout can infect an entire organization."

--"Enterprise Strategies" columnist Tom Yager.