Author: oneiros Date: To: Jeffrey Goldberg CC: majordomo-users, exim-users Subject: [Exim] Re: Is wrapper needed if MTA sets user and group?
Thus spake Jeffrey Goldberg (J.Goldberg@???):
> With some (probably most by now, but I am working with exim) MTAs it is
> possible to set the user and group under which a pipe will be executed.
> The use of group and user in the exim director will ensure that pipes
> (and file appends if there are any) in in those aliases will be run
> as uid majordom.
> Does this obviate the need for wrapper? Or are there other things that
> wrapper protects me from.
Yes and no.
By setting uid and gid at the mta level you eliminate the "nasty" part of the
wrapper, and remove many possible and theoretical security problems. A very
good thing to do, of course. You can now chmod 755 /usr/lib/majordomo/wrapper
(or wherever your wrapper is). The wrapper no longer needs to worry about
changing the uid and gid of majordomo process.
You will still need to use the wrapper though, as it provides several
essential environment settings to the majordomo, resend, etc processes. It
sets HOME, PATH, SHELL, MAJORDOMO_CF and any local stuff you may have defined
when you built it. majordomo needs this to function properly.