Re: [hylafax-users] "550 Cannot set privileges" with sendfax

[Lee Howard <faxguy@deanox.com>]

On 2002.03.02 10:54 Paul Chvostek wrote:
> 
> On Fri, Mar 01, 2002 at 02:32:42PM -0800, Lee Howard wrote:
> > >
> > > Whenever I run sendfax, I get an error:
> > >
> > > 	Login failed: 550 Cannot set privileges.
> >
> > See: http://www.hylafax.org/archive/2001-05/msg00011.php
> > and its thread.
> 
> Yeah, I saw that, and while I certainly agree that running hfaxd as
> root will *bypass* the problem, it's not really the solution I'm looking
> for.  :)  Exploits for Hylafax have been found in the past, so I too am
> ambivalent about running hylafax as root, even if chrooting works.

I know of no exploits to any HylaFAX version.  Vulnerabilites yes, 
exploits no.  You run *so* many other things as root already which have 
had both past vulnerabilities and past exploits.  I'm not sure why you 
make an exception with HylaFAX.

> What reason could there be for chroot(2) and chdir(2) to fail when hfaxd
> is run as a user who has write permissions on the directory?  Or is this
> simply a known problem whose only solution is to eliminate the security
> benefits of running hfaxd as a user other than root?

hfaxd, faxgetty, and faxq all need the ability to specify file ownership.  
User X cannot create a file owned by user Y.  In the past FreeBSD had 
resolved this problem by making hfaxd set-uid, which frankly, opens up a 
greater range of potential problems if vulnerabilities are found.  The way 
it is now, vulnerabilities are quite limited to the port-communication 
protocol.

Lee.

____________________ HylaFAX(tm) Users Mailing List _______________________
 To unsub: mail -s unsubscribe hylafax-users-request@hylafax.org < /dev/null