Rodney Baker wrote:
Whilst it does look promising, I have a couple of concerns with this app that lead me to believe that I would *only* run it on a dedicated machine that was carefully firewalled from the outside world and the rest of the network and had no other critical systems running on it:
1. Their install script disable SELinux for apache (in fact the app requires this to be so - I suspect that this would also be the case for apparmour).
2. The install script messes with the /etc/sudoers file and adds priveleges to the apache user that I might not necessarily want it to have.
To be fair, exactly what the install script does (and manual steps required for installation) are well documented on their web site. Nevertheless, any application that requires a lessening of security level on a machine to run raises question marks for me.
Having said that, I'm not likely to need to worry about that because a) I don't run a networked fax server and b) I'm not a network adminstrator for any network that matters (only my home network) but I can only imagine how near to impossible it would be for me to convince the network admins at work that it would be a good idea to try it...
Rodney, Thanks for the heads up, but they must need to update their site for the current version because that install doesn't mess with SELinux for apache at all. The setup with regard to sudoers simply add the ability of the apache2 user 'wwwrun' to command /usr/sbin/faxdeluser, /usr/sbin/faxadduser and to /sbin/reboot, or /sbin/halt the server in case of problems. # SETUP SUDO PERMISSIONS cat /etc/sudoers | grep -v requiretty > /tmp/sudoers echo "$HTTPDUSER ALL= NOPASSWD: /sbin/reboot, /sbin/halt, /usr/sbin/faxdeluser, /usr/sbin/faxadduser -u * -p * *" >> /tmp/sudoers if [ ! -f /etc/sudoers.orig ]; then mv /etc/sudoers /etc/sudoers.orig fi mv /tmp/sudoers /etc/sudoers chmod 0440 /etc/sudoers chown root.root /etc/sudoers The original change made to /etc/sudoers was to add: wwwrun ALL= NOPASSWD: /sbin/reboot, /sbin/halt, /usr/sbin/faxdeluser, /usr/sbin/faxadduser -u * -p * * Which all I did was to remove the reboot and halt to prevent the server from being shot-in-the-head by the web server: wwwrun ALL= NOPASSWD: /usr/sbin/faxdeluser, /usr/sbin/faxadduser -u * -p * * I agree, that without the removal, your recommendation of it only being run on a standalone box hits the nail on the head. I didn't see to much of a security concern about having wwwrun control the faxadduser and faxdeluser script. Additionally, the control is limited by user and password. I'm still working with it to get it tweaked, but for the amount of faxes we get to already have the date and time of arival databased so that the assistants just have to provide the to: from: and case no.: info is a big help. -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org