Re: [Exim] Security Considerations (AUTH + shadow)

Top Page
Delete this message
Reply to this message
Author: Christi Alice Scarborough
Date:  
To: Lukasz Grochal
CC: exim-users
Subject: Re: [Exim] Security Considerations (AUTH + shadow)
On Thu, Oct 12, 2000 at 04:05:34PM +0200, Lukasz Grochal wrote:
> > root runs a cronjob every hour (your milage may vary) which reformats
> > /etc/shadow into a file suitable for exim and then calls exim_dbmbuild.
>
> Not necessarily a good idea either, I think. Why not adding exim user to
> the shadow group (I believe you have a shadow group and have the permissions
> for /etc/shadow set correctly, ie: -rw-r----- user: root group: shadow).


Because it won't work. Exim doesn't actually have the privilage of its
group memberships when it runs the authentication checks. The only
sensible way to do this seems to be to create a seperate copy of the
shadow file which only exim has access to.

In the light of Phil's comments, I'll also say that the system I use
this on doesn't actually allow external login, so using the actual
password file isn't an issue for me, although I do insist that users
use different passwords for the mail gatewy than their internal
accounts, since they are still being transmitted across the public
network in plain text. (Now if only I can master the excrable
OpenSSL, this might be fixable, but so far no luck. They seem to have
turned abysmal documentation and error reporting into an artform.
I'm so glad exim is the diametric opposite of this.)

Christi

--
Christi Scarborough, Systems Administrator, FutureTV http://www.futuretv.com/
FutureTV Labs Ltd, Brunswick House, 61-69 Newmarket Rd, Cambridge, CB5 8EG, UK
Tel: +44 (0)1223 576100 (switchboard) +44 (0)1223 478660 (direct line)