-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion. scripts - file permissions #189
Comments
Suggestion accepted. Will change this soon. cleanup_amavisd_db.py and cleanup_db.py could be moved to "iredadmin" user's cron job since they are pure sql operations, but delete_mailboxes.py must be ran as root (or "vmail") user since it requires the privilege to remove files under /var/vmail/vmail1. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER:
Hi,
there are several scripts executed by root via cron.
The scripts themselves are owned by normal users:
e.g.
in: opt/www/iredadmin/tools:
are owned by iredadmin
This setting can be used for privilege escalation to root for this user.
Setting the shell to nologin doesn’t mitigate this completely.
Suggestion:
set the file owner for the scripts in root’s crontab to root:root,
remove ability to be written by user/world for them.
Sincerely,
Michael
The text was updated successfully, but these errors were encountered: