Re: [Exim] Re: Exim and IBM DB2

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Philip Hazel
日付:  
To: Miquel van Smoorenburg
CC: exim-users
題目: Re: [Exim] Re: Exim and IBM DB2
On Thu, 20 Dec 2001, Miquel van Smoorenburg wrote:

> On the INN mailinglist someone suggested the following:
>
> - let the non-priviliged daemon create a socket and fork()
> - the child exec()s a small setuid helper program
> - that setuid helper program ofcourse also inherits the socket fd
> - the helper binds the socket to port 25 and exit()s
>
> Now the main program has a socket bound to port 25..


How does this make life more secure than:

- let the daemon program be privileged
- the daemon creates a socket and binds it to port 25
- the daemon obeys setuid() to give up the privilege

(which is what Exim does)? You also have the added complication of
controlling who may exec the helper.

> If you want the users to be able to mount the spool over NFS
> you *have* to use dotlocking.


That sentence is using the "alternative" meaning of "spool", that is
"directory containing users' mailboxes". It is not what Exim calls a
"spool", which is "the directory where Exim keeps messages in transit".

Given that interpretation, it's absolutely true, of course.

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.