I'm considering preparing a patch for exim, and wanted to get some
feedback to see if anyone else could use it first.
Currently, to be considered an admin user, you must :
- be root
OR
- be the exim user (if one is defined)
OR
- be in the exim group (if one is defined)
The problem I face is that I need another level of admin control. Senior
admins should be in the exim group and have access to almost everything
that the exim user does (simply via file permissions). Junior admins need
to be able to perform certain administrative operations, but not have
file system level access to files.
That is, if exim_group is defined to be 'mail' and the directory in which
the logs reside looks like this :
[mail1:james] ...var/log/mail1.tor.accglobal.net (7) # ll
total 7136
drwxr-x--- 2 exim mail 4096 May 4 13:54 .
drwxr-x--- 3 exim mail 4096 Apr 24 12:04 ..
-rw-r----- 1 exim mail 3640066 May 5 05:50 exim_main.log
[mail1:james] ...var/log/mail1.tor.accglobal.net (8) #
Then anyone in group 'mail' can get in an read the logs. They are also
considered an admin user. What I'm looking to do is define a new
attribute "exim_admin_group" (and exim_admin_user if convention demands
it). The idea is that the logic for deciding who is an admin user becomes
- you must be root
OR
- you must be the exim user (if one is defined)
OR
- you must be in the exim group (if one is defined)
OR
- you must be the exim_admin_user (if one is defined)
OR
- you must be in the exim_admin_group (if one is defined)
I've pretty much got the patch completed, and while I know that I'll get
use out of it, it still comes off as being rather kludgey. I'm interested
in hearing other opinions about the way I'm doing this and possible
alternatives to it before I clean it up and offer it the Philip.
Thoughts ?
--
j.
James FitzGibbon james@???
Member, ACC Corps of Internet Engineers Voice/Fax (416)207-7171/7123
"...much of today's software is comprised of mostly 'D' and very little 'R'"
-- Alan Cooper
--
*** Exim information can be found at
http://www.exim.org/ ***
