Re: [hylafax-users] SOLVED Basic sendfax failures - "no_formatter" but GS installed?

[Aidan Van Dyk <aidan@xxxxxxxx>]

* David Ruggiero <jdavid@xxxxxxxxxxxxxxx> [081217 20:09]:
> The problem was that on this system the /var partition is set as "noexec, nosuid" for security. This is pretty common in Linux installations, in my experience, because no one runs scripts and executables in /var.
> 
> No one except Hylafax, I guess.  :}
> 
> Is there a historical reason (SGI?) why Hylafax puts ALL of its eggs - including executable scripts - in the /var/spool/hylafax basket? I can't think of any other package that does this. (Generally, isn't /var is the home of temporary, log, and spool files, not executables and config files? Yea, along with some stuff like /var/cron/*, but that's a little different.)
> 
> Maybe this could get on the list for Hylafax 5.0, to install its bin/* and config files in more POSIX-standard locations, for both security and maintainability? I'll defer to my betters on that, but makes sense to me.
> 
> For now, I'm going to try moving /var/spool/hylafax/bin to somewhere else (like /usr/local/bin/hylafax) and symlinking to it. Don't know if that will get around the noexec problem or not, but it's easier than getting the admins to "downgrade" security on the entire box, which is probably a non-starter around here.

And the reason is:
	chroot

I guess if you really wanted, you could go about bind-mounting all the
non/var places into back into /var/spool/hylafax to get a usable chroot
again...

Or, if you don't like /var/spool/hylafax, you can easily put it
somewhere else, (like /data/hylafxa, or /opt/hylafax, or /home/fax, or
anywhere) where you don't have noexec.

a.

-- 
Aidan Van Dyk                                             aidan@xxxxxxxx
Senior Software Developer                          +1 215 825-8700 x8103
iFAX Solutions, Inc.                                http://www.ifax.com/

Attachment: signature.asc
Description: Digital signature