[Mimedefang] defang script using chown or chgrp
David F. Skoll
dfs at roaringpenguin.com
Mon Apr 28 17:30:11 EDT 2008
Jon Rowlan wrote:
> When I issue
> system('cp', 'INPUTMSG', "/mailstore/$recipient/$MsgID");
That is NOT a good idea. Allowing arbitrary attacker-supplied data to
be used to construct a filename is asking for trouble... but anyway...
> the message gets save correctly but with a user/group of "defang". I
> want to chown or chgrp it so that it effectively belongs to or at least
> can be read by a user. The Maildir is in the users Home.
You can't do what you want unless you run MIMEDefang as root (and of course,
MIMEDefang refuses to run as root, so....)
You could (as you said) use a cron job to do the chown. Or a SUID
program (not recommended unless you are very careful). Or use a
database to store the messages instead of the file system.
Regards,
David.
More information about the MIMEDefang
mailing list