Re: [Exim] Security Considerations (AUTH + shadow)

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users
Subject: Re: [Exim] Security Considerations (AUTH + shadow)
On 2000-10-12 at 16:44 +0200, Frank Elsner gifted us with:
> My /etc/shadow on Solaris 2.7 is
>
> -r--------   1 root     sys       152249 Oct 12 14:40 /etc/shadow


Distributed password stuff, using NIS+, is supposedly more secure if you
restrict the source-port. True in an environment where you absolutely
control who has root on each machine - but given physical access ...

The source-port restriction requires root.

If not using NIS+, or set up for that, having a group shadow is IMO a
good idea.

However, unless it was added in the new TLS code, Exim doesn't do an
initgroups() for user Exim before listening on the port - this can be
done for transports for outgoing mail, but not for incoming mail, so I
don't see that adding Exim to group shadow would help. In fact, if
memory serves, Ms Scarborough tried this but it failed, consequently she
moved to using a separate password file built from /etc/shadow, and PAM
authentication with the PAM module which allows use of an arbitrary file;
I forget the name, but search the mailing-list archives - it was
something like "pam_file", I think.
--
Civilisation: where they cut down the trees and name streets after them.