Faxrunq(d) not by root

• Messages sorted by:[ date ][ thread ][ subject ][ author ]

Hi,

On Thu, Jan 20, 2000 at 07:52:47AM +0000, Volker Englisch wrote:
> For security reasons, I tried to run faxrunq from a special user's
> crontab, not from the root's crontab. To manage that, I created a new
> user "fax" (uid 42) with standard group "fax" and additional group
> "dialout".
> 
> Then I chowned /var/spool/fax and it's subdirs to fax.fax. When some
> user faxspools a new fax, it is located in e.g.
> /var/spool/fax/outgoing/F..../f1.g3. That file is owned by
> user.usergroup (as before). When running faxrunq as user fax, it
> complaines about "job already locked". I guess the problem is the
> ownership of the outgoing files, for user "fax" doesn't have any
> permission on those files.

It has to be able to *write* to the F.... directories.

I always run faxrunq as root.  If you don't trust it (too much shell
code), use faxrunqd, it should in no case be attackable by shell
metacharacter attacks.

[..]
> I guess there must be a much less complicated way to run faxrunq (or
> faxrunqd) as a non-root user. Can someone please tell me how?

There is none yet.  You have to be able to access user files, and read and
write those directories.

(The correct way is to have faxspool be "suid fax" and have the whole fax
queue structure mode rwx------ for fax only, but that's a lot of work)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@greenie.muc.de
fax: +49-89-35655025                        gert.doering@physik.tu-muenchen.de