Chkuser 2.0 - running with GID/UID switching

In order to have GID/UID switching enabled, #define CHKUSER_ENABLE_UIDGID has to be enabled in chkuser_settings.h.

qmail-smtpd, patched with chkuser, must be installed (by default in /var/qmail/bin) with setuid (user qmaild) and setgid (group nofiles) bits on, and executed by tcpserver with -u vpopmail-user and -g vchkpw-group parameters.

qmail-smtpd starts running with the original qmail-smtpd uid and gid, switching to vpopmail uid and gid when checking for user existence, then turning back to starting uid and gid at the end of checking.


You have to set SUID (set-user-ID-on-execution) and SGID (set-group-ID-on-execution) bits on qmail-smtpd:

 chown qmaild qmail-smtpd
chgrp nofiles qmail-smtpd
chmod 6555 qmail-smtpd

and the result you see should be like (different size and date, of course):

 -r-sr-sr-x 1 qmaild nofiles 57056 Feb 14 18:18 qmail-smtpd

Integrate qmail-smtpd in your start files:

As example, a real start command for qmail-smtpd may be

 #!/bin/sh -e # # Using splogger to send the log through syslog.
exec env - PATH="/var/qmail/bin:/usr/local/bin" \
tcpserver -t 5 -v -p -x <your.tcp.smtp.cdb> \
-u <vpopmail-user> -g <vchkpw-group> -l <your-host.domain> \
0 smtp qmail-smtpd 2>&1 | splogger smtpd &


 <vpopmail-user> = vpopmail uid
<vchkpw-group> = vchkpw gid
<your-host.domain> = your host.domain (!)
<your.tcp.smtp.cdb> = your cdb

Important note

If you are using more system users for your domains, the switched identity I indicated as vpopmail should be set to root.