The install-wrap program replaces qmail-queue with a link to qscanq. Replacement is atomic, so it can safely be run without stopping qmail.
Note that if conf-qmailq points to the same directory in which qmail-queue is installed, then install-wrap exits with an error message.
Algorithm
Replacement is done in the following steps:
The directory bin/qscanq is created under qmail's root directory (usually /var/qmail). If the directory exists, its ownership is changed to the root user, the qscanq group, and 02750 permissions. This prevents ordinary users from running qmail-queue without invoking qscanq.
Qmail's bin/qmail-queue is hard-linked into bin/qscanq/. If a file named bin/qscanq/qmail-queue already exists, then this step is skipped.
The symbolic link to /package/mail/qscanq/command/qscanq is created in bin/qmail-queue.tmp under qmail's root directory. This step is performed so that /package/mail/qscanq/command can safely live on a different filesystem from qmail.
The symbolic link is renamed to bin/qmail-queue, which deletes the hard-link in qmail's bin directory. At this point, qmail-queue is safely moved and replaced with a link to qscanq.
Security and Reliability
If install-wrap fails at any point, then qmail-queue is still present in qmail's bin directory. This is guaranteed by the UNIX contract that file replacement is atomic and either succeeds or fails. If some UNIX flavor violates this contract, and power to the machine is cut at the wrong moment, then qmail-queue might vanish. If that happens, qmail-inject and qmail-smtpd will return temporary errors to anyone submitting email, giving the admin time to rectify the problem.
install-wrap is not setuid, and is installed with 0700 privileges, so it can only be run by root.
If a bad file named qmail-queue appears in bin/qscanq, then installation will appear to complete, and the bad file will be invoked instead of qmail-queue. But qmail's bin directory is only writable by root, as is the qscanq subdirectory created by install-wrap, so that can only happen if a superuser has done something he shouldn't.
Similarly, if bin/qscanq/ exists and resides on another filesystem, installation will fail. In this case qmail will be unaffected, but virus scanning will not be done. Again, this can only happen if a superuser does something he shouldn't.
