Re: [Exim] exim & intetd

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: nick slussar
CC: exim-users
Subject: Re: [Exim] exim & intetd
On Mon, 24 Dec 2001, nick slussar wrote:

> > Here is my scenario:
> >
> > 1) run exim from inetd, like this
> > smtp            stream  tcp     nowait  mail    /usr/sbin/exim exim -bs

> >
> > note the user - mail.
> >
> > 2) in exim.conf put
> >
> > exim_user = root


So you run it as "mail", but tell it to stay as root for most of the
time. The fix, of course, is to run it as root out of inetd in the first
place. That is, if you insist on not having a non-root Exim user.

> > which is required in some cases, like when exim uses pam_unix auth with
> > shadow passwords.


There are other ways round that. I am personally not happy with the
setting of the Exim user to root.

> > 3) result: host becomes fully open relay to anybody, ignoring any
> > relay-control stuff in exim.conf.


Whatever the merits of the different users, Exim clearly ought not to
contain this pitfall. What it needs is a fail-safe way of detecting
"called from inetd". Currently it uses

stdin is a socket
AND
caller is root or the Exim user

where the Exim user is the one defined in the run time configuration.
The problem arises when the caller specified in /etc/inetd.conf is not
the same as the user specified to Exim. This is a situation that could
arise whether or not exim_user is specified in the run time
configuration.

Does anybody have any good ideas for detecting "called from inetd"?
"stdin is a socket" on its own is not good enough - any user could set
that up.

Maybe the best I can do is detect the bad case, which is

stdin is a socket
AND
caller is NOT root or the Exim user

and bomb out with an error.


--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.