Re: [EXIM] permissions for non-root exim

Top Page
Delete this message
Reply to this message
Author: V. T. Mueller
Date:  
To: eml
Subject: Re: [EXIM] permissions for non-root exim
On Tue, 10 Nov 1998, Peter Radcliffe wrote:
> "V. T. Mueller" <vtmue@???> probably said:
> > Specifying a UID for exim to run under brought up a few 'problems':
> > Exim runs as bin:mail. One point was that I wanted it to write its
>
> I would _really_ not recommend this.
> The bin user owns many system programs which are run by root predictably
> and in theory with exim running as bin if any problems are discovered
> with exim itself you might be able to overwrite said root run binaries and
> get root ...


Hm, ok. I first thought of doing it with exim:mail but then came across
even more problems with directory access. The default is root:root which
I'd like to avoid. So bin:mail isn't really better/more secure?

> > logfiles next to all other logfiles in /var/adm/syslog/. Since /var/adm/
> > is set to 750 I had to add access for bin:mail using ACLs - that one works
> > fine and could be done in a minute.
>
> I keep my exim logs in /var/log/exim, which I have owned by my exim user.


Well, yes. You won't have any problems then. My attempt is just keeping
the systems organized in that way that e.g. logfiles are all under
/var/adm/syslog so that I can restrict this path from user access.

> > 04vb-00 == vtmue@??? T=local_delivery defer (13):
> > Permission denied: creating lock file hitching post
> > /var/mail/vtmue.lock.heaven.ruf.uni-freiburg.de.3648a254.00004a05
> > 21:36:56 0zdKX2-00
> >
> > didn't exist while running exim as root:root. The point is that I'm not
> > keen on adding ACLs for every local user to /var/mail. How about using a
> > different directory for lock files? If so, could this be specified as a
> > runtime configurable Option (I couldn't find anything appropriate in the
> > specs)? Any other ideas?
>
> What are the permissions on /var/mail ?


775

> The usual method for dealing with /var/mail writing as the user is
> having it world writable, but sticky, a'la /tmp.
> I don't like this, so I deliver to home directories.


Well, 1777 is s/th I don't like very much either. On the other side - if I
change exim to deliver to home dirs I'd have to change the whole POP
config, including giving POP users a homedir.

Hey Philip, how about a POP module for exim? :) I'm just kidding.. sorry
it's late here :)

Thanks so far. I will think over the whole setup tomorrow again.

Volker
--
  ------------------------------------------------------------------------
  Volker T. Mueller      Albert-Ludwigs-Universitaet  Freiburg im Breisgau
  Student der Informatik    vtmue@???  +49 761 355-03 -80(fax)


                        "Christ ist man fuer andere"



--
*** Exim information can be found at http://www.exim.org/ ***