[Exim] Conditionalize a router on file existance; effective …

Etusivu
Poista viesti
Vastaa
Lähettäjä: Harald Meland
Päiväys:  
Vastaanottaja: exim-users
Aihe: [Exim] Conditionalize a router on file existance; effective uid and NFS woes
Hi,

I'm trying to get the following router to work properly in Exim 4.14:

  tripnote:
    driver = accept
    verify = false
    condition = ${if eq {${extract{targetType}{$address_data}}}{user} {true}}
    router_home_directory = \
          ${extract{home}{${extract{spoolInfo}{$address_data}}}{$value}fail}
    user = ${extract{target}{$address_data}}
    require_files = ${extract{target}{$address_data}}:$home/tripnote
    # Don't send autoreplies to common administrative addresses.
    senders = ! : !^.+-request@ : !^owner-.+@ : !^.+-owner@ : !^postmaster@ : \
          !^listmaster@ : !^mailer-daemon@ : !^root@ : !^.+-admin@ : \
          !^.+=.+\\..+@
    transport = tripnote_reply
    retry_use_local_part
    unseen


address_data is set from a LDAP lookup; the LDAP objects this router
should work for has the following relevant elements

targetType="user"
target="USERNAME"
spoolInfo="home=HOMEDIR maildrop=MAILDROP_PATH"

Users' homedirs are (non-root) NFS mounted on the mail server. Some
users have mode 0700 on their homedirs.


In Exim 2, the '/'-less first element of the require_files section was
interpreted as a username, and caused the existence test for later
elements to be done under the UID of that user.

From looking at the function check_files() in src/route.c, it appears
that this is no longer the case. The function will now try doing a
stat() of any file elements it finds *without* changing (effective)
uid.

Re-reading the latest Exim specification, I can sort of see that the
behaviour I'm experiencing is documented. And, indeed, the
behaviooral change is listed rather explicitly in Exim4.upgrade.

I have searched the list archives and browsed the FAQ, both to no
avail; it seems no one else has seen this as a problem at all.


So, I'm seemingly up the brown river without a paddle. Or, is there
something I'm missing? Pleeeease, tell me it is so! :-)

If I'm *not* missing anything: Can anyone tell me why running as root
while routing is better (securitywise, the Exim4.upgrade file makes me
presume) than using seteuid?
--
Harald