Re: [Exim] running SMTP mailers without root privileges....

Pàgina inicial
Delete this message
Reply to this message
Autor: Exim Users Mailing List
Data:  
A: Exim Users Mailing List
Assumptes vells: [Exim] Re: Exim and IBM DB2
Assumpte: Re: [Exim] running SMTP mailers without root privileges....
[ On Thursday, December 20, 2001 at 10:12:41 (+0000), Miquel van Smoorenburg wrote: ]
> Subject: [Exim] Re: Exim and IBM DB2
>
> You have less code. The daemon doesn't need to be setuid root at all.


The daemon shouldn't ever be setuid root unless end-user initiated
processes either must have root privileges for some reason, and this is
never true (at least not with the scheme I outlined, not even if the
pipe delivery helper needs root privs, since it alone can be setuid root).

Setuid-root isn't the only way to achieve privileges -- just the way to
achieve supreme privileges. A programmer should never use superuser
privileges unless they are absolutely 101% definitely required.

Root can safely start a setgid binary, without too much trouble at
least, and use "his" privileges only for a short period of time before
permanently giving up those root privileges and continuing on to do the
main job of the process.

FYI the only time there's going to be any trouble with a root started
process permanently giving up its privileges is when you need to exec()
to do it on some given type of system, and that system has no support
for setting or clearing the close-on-exec flag in open file descriptors.
As far as I know there's no such type of system in use (I would consider
such a feature set to be seriously buggy anyway).

--
                                Greg A. Woods


+1 416 218-0098; <gwoods@???>; <g.a.woods@???>; <woods@???>
Planix, Inc. <woods@???>; VE3TCP; Secrets of the Weird <woods@???>