[prev in list] [next in list] [prev in thread] [next in thread] 

List:       lists-bincimap
Subject:    Re: [bincimap] jail?
From:       Oden Eriksson <oden.eriksson () kvikkjokk ! net>
Date:       2003-04-23 15:16:32
[Download RAW message or body]

onsdagen den 23 april 2003 16.41 skrev Andreas Aardal Hanssen:
> On Wed, 23 Apr 2003, Oden Eriksson wrote:
> >onsdagen den 23 april 2003 16.07 skrev Andreas Aardal Hanssen:
> >> On Wed, 23 Apr 2003, Oden Eriksson wrote:
> >> >Hi Andreas, all.
> >> >Could someone please document this new jail stuff as of the latest
> >> > bincimap. First..., how do I turn this off?
> >>
> >> You can't turn off this feature, nor can I see any reason to do so
> >> (other than if bincimap-up is invoked as non-root, in which you will see
> >> warnings in the log). :-)
> >> If those warnings are a pain, then I'm sure we can find some solution
> >> here.
> >
> >The thing is I started to suspect something wrong here using
> >checkpassword-pam... I can login ok with telnet, but not using kmail or
> >mozilla. (it works just fine with the djb version)
>
> That's funny.. all the jail stuff happens after bincimapd is invoked.
> Perhaps the problem is related to a wrong password or something?
>
> I suddenly realize that if the password is wrong, bincimap-up can no
> longer invoke its arguments because it is in a chroot jail. Hummmm...

I have absolutely no idea... But I don't think it's passwd related, I tried 
numerous times, even using different servers. I've not tried with OE yet 
because I'm too lazy to boot that shit os.

> >Here's what I thought would be wise;
> >Security {
> >    jail path = "/var/lib/bincimap-chroot/bin",
> >    jail user = "bincimap",
> >    jail group = "bincimap"
> >}
> ># grep binc /etc/passwd
> >bincimap:x:121:121:bincimap user:/var/lib/bincimap-chroot:/bin/false
>
> That's smart.

That is what I think it will look like in the next mandrake package. (v1.1.5)

> >But I have to ask what is supposed to reside in the bin dir then? Nothing?
>
> It should chroot to an empty jail - I chose the bin/ area as default
> simply because I guessed that everyone has it already. But that's silly -
> there should be a seperate jail area - perhaps under /tmp, created in
> run-time?

Nah, I thinks it's better to leave as is.

> >This works with telnet (this is from my xinetd stuff):
> >server_args=--conf=/etc/bincimap.conf \
> >--logtype=syslog -- /bin/checkpassword-pam \
> >-s checkpassword-pam /usr/sbin/bincimapd \
> >--conf=/etc/bincimap.conf
>
> Great! Is the problem perhaps related to SSL? Can you connect using
> openssl s_client?
>
> Andy :-)

This was using plain auth... Changing from "checkpassword-pam" to 
"checkpassword" and it started to work. Maybe it's me not understanding how 
to use "checkpassword-pam"?

-- 
Regards // Oden Eriksson, Deserve-IT.com
[prev in list] [next in list] [prev in thread] [next in thread]