security in DA ? :(

crazy baby

New member
Joined
May 15, 2005
Messages
2
Hello I have fresh installed DA.

My admin told me about potentially security holes in DA:

1. vmpop3 is running on root !!
when will be in future any bug in vmpop3 we had "site owned by script kid" :(

Can any body help if it is possible to secure vmpop3 (runnikg on any other rights than root) ?

Wojciech Babicz
 
I don't know much about vmpop3, but all services including DirectAdmin itself have their parent processes running as root so that they can later drop their effective privileges to the user who is executing the command.
Even exim requires its binary be setuid root to deliver local mail.
 
Hello,

Yes it runs as root, but it drops it's privileges once it knows the UID required for the files it wan'ts to write to. "mail" would be fine if it was just for the virtual pop accounts, but the system accounts are chowned to "username:username", so vm-pop3d would have no way of writing to them as "mail".

John
 
Back
Top