Hylafax Mailing List Archives
|
[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
Re: [hylafax-users] "550 Cannot set privileges" with sendfax
On 2002.03.02 10:54 Paul Chvostek wrote:
>
> On Fri, Mar 01, 2002 at 02:32:42PM -0800, Lee Howard wrote:
> > >
> > > Whenever I run sendfax, I get an error:
> > >
> > > Login failed: 550 Cannot set privileges.
> >
> > See: http://www.hylafax.org/archive/2001-05/msg00011.html
> > and its thread.
>
> Yeah, I saw that, and while I certainly agree that running hfaxd as
> root will *bypass* the problem, it's not really the solution I'm looking
> for. :) Exploits for Hylafax have been found in the past, so I too am
> ambivalent about running hylafax as root, even if chrooting works.
I know of no exploits to any HylaFAX version. Vulnerabilites yes,
exploits no. You run *so* many other things as root already which have
had both past vulnerabilities and past exploits. I'm not sure why you
make an exception with HylaFAX.
> What reason could there be for chroot(2) and chdir(2) to fail when hfaxd
> is run as a user who has write permissions on the directory? Or is this
> simply a known problem whose only solution is to eliminate the security
> benefits of running hfaxd as a user other than root?
hfaxd, faxgetty, and faxq all need the ability to specify file ownership.
User X cannot create a file owned by user Y. In the past FreeBSD had
resolved this problem by making hfaxd set-uid, which frankly, opens up a
greater range of potential problems if vulnerabilities are found. The way
it is now, vulnerabilities are quite limited to the port-communication
protocol.
Lee.
____________________ HylaFAX(tm) Users Mailing List _______________________
To unsub: mail -s unsubscribe hylafax-users-request@hylafax.org < /dev/null