Re: [Exim] Non root operation

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: Mathew Johnston
CC: exim-users
Subject: Re: [Exim] Non root operation
johnston@??? said:
> I want to run exim as a normal user, and give that user only the
> permissions to modify the particular files relating to mail. I do not
> want to run exim as root, I dont want it changing to the user id of
> the user that it's delivering to, and I dont want to have to give it
> root to let it listen on port 25.


> I want to use LIDS and ACLs or heavy use of groups to provide this
> functionality, but I fear that because exim wasnt designed to do this
> (it was designed to run as root it sounds), it'll try to switch
> effective UIDS even when it doesnt have permissions to, even though it
> has the permissions to write to the files that it wants to as it's
> self.


Frankly this is all horribly OS specific, it is complex and worse IT IS
COMPLETELY UNNECESSARY.

What you need to do is modify exim to be able to take an incoming smtp
connection, and keep the socket for further connections to come in on
using a daemon type process.

You can then run exim from inetd in wait mode - inetd fires off an exim
for the first incoming SMTP (that exim not being run as a superuser,
but as whatever is set in the inetd file), inetd then gets out of the
way until such time as that exim dies off. The exim process can accept
and deal with as many incoming connections as it wishes.

If exim also runs with security=unprivaleged then it should not be
attempting UID switches.

The code for the accept and multiple reuse of an incoming socket from
inetd can be found in the pidentd code. Modifying exim for this mode
would be a relatively trivial operation.

    Nigel.


-- 
[ Nigel Metheringham           Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]
[ - Comments in this message are my own and not ITO opinion/policy - ]