Re: [Exim] Security Considerations (AUTH + shadow)

Page principale
Supprimer ce message
Répondre à ce message
Auteur: David Harrigan
Date:  
À: exim-users
CC: Christi Alice Scarborough
Sujet: Re: [Exim] Security Considerations (AUTH + shadow)
Hiya,

After reading all the wonderful comments I get the idea (esp. after
Christi's comments).

cp the shadow file to a new file
give it the owner/group of mail
remove all permissions except for read
use this file for lookups

How does that sound?

David Harrigan
KMP Internet
Regent House, Heaton Lane
Stockport, Cheshire. SK4 1BS
Phone: +44 (0) 161 429 6590 Fax: +44 (0) 161 476 0370
http://www.kmpinternet.com

PGP Key and ID: http://patience.mcc.ac.uk

----- Original Message -----
From: "Christi Alice Scarborough" <christi.scarborough@???>
To: "Lukasz Grochal" <lgrochal@???>
Cc: <exim-users@???>
Sent: Thursday, October 12, 2000 4:48 PM
Subject: Re: [Exim] Security Considerations (AUTH + shadow)


> On Thu, Oct 12, 2000 at 04:05:34PM +0200, Lukasz Grochal wrote:
> > > root runs a cronjob every hour (your milage may vary) which reformats
> > > /etc/shadow into a file suitable for exim and then calls exim_dbmbuild.
> >
> > Not necessarily a good idea either, I think. Why not adding exim user to
> > the shadow group (I believe you have a shadow group and have the permissions
> > for /etc/shadow set correctly, ie: -rw-r----- user: root group: shadow).
>
> Because it won't work. Exim doesn't actually have the privilage of its
> group memberships when it runs the authentication checks. The only
> sensible way to do this seems to be to create a seperate copy of the
> shadow file which only exim has access to.
>
> In the light of Phil's comments, I'll also say that the system I use
> this on doesn't actually allow external login, so using the actual
> password file isn't an issue for me, although I do insist that users
> use different passwords for the mail gatewy than their internal
> accounts, since they are still being transmitted across the public
> network in plain text. (Now if only I can master the excrable
> OpenSSL, this might be fixable, but so far no luck. They seem to have
> turned abysmal documentation and error reporting into an artform.
> I'm so glad exim is the diametric opposite of this.)
>
> Christi
>
> --
> Christi Scarborough, Systems Administrator, FutureTV http://www.futuretv.com/
> FutureTV Labs Ltd, Brunswick House, 61-69 Newmarket Rd, Cambridge, CB5 8EG, UK
> Tel: +44 (0)1223 576100 (switchboard) +44 (0)1223 478660 (direct line)
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##