[Exim] Re: Is wrapper needed if MTA sets user and group?

Top Page

Reply to this message
Author: oneiros
Date:  
To: Jeffrey Goldberg
CC: majordomo-users, exim-users
Subject: [Exim] Re: Is wrapper needed if MTA sets user and group?
Thus spake Jeffrey Goldberg (J.Goldberg@???):

> With some (probably most by now, but I am working with exim) MTAs it is
> possible to set the user and group under which a pipe will be executed.
> [SNIP]
>
> The use of group and user in the exim director will ensure that pipes
> (and file appends if there are any) in in those aliases will be run
> as uid majordom.
>
> Does this obviate the need for wrapper? Or are there other things that
> wrapper protects me from.


Yes and no.

By setting uid and gid at the mta level you eliminate the "nasty" part of the
wrapper, and remove many possible and theoretical security problems. A very
good thing to do, of course. You can now chmod 755 /usr/lib/majordomo/wrapper
(or wherever your wrapper is). The wrapper no longer needs to worry about
changing the uid and gid of majordomo process.

You will still need to use the wrapper though, as it provides several
essential environment settings to the majordomo, resend, etc processes. It
sets HOME, PATH, SHELL, MAJORDOMO_CF and any local stuff you may have defined
when you built it. majordomo needs this to function properly.

Cheers...

-- 
 oneiros (oneiros@???) 1024D/62C2F77D           94143243451512659321
 url: http://www.darkspire.net/  EBB8 AF14 8C43 2F12 7623 05187239048682851291
 irc: EFnet / tietNET / opn      C0AA C0AE 56D4 62C2 F77D 34748760276719592346