Hi!
On Mon, Sep 29, 2003 at 10:33:53AM +0100, Philip Hazel writes:
> > The answer is: I'm using -D switch in the commandline, so exim
> > drops root privelegies.
> > But I start exim as root (real uid & euid), so I do not want that
> > he drop root privelegies. Now it cannot restart by SIGHUP on config
> > change (permission denied on bind()).
> > What should I do for run exim with macros or alter config and with
> > root privelegies?
>
> This is a difficult security area. It is *much* better if you can avoid
> using -C or -D.
I understand reasons to drop root privilegies when -C specified
(but ALT_CONFIG_PREFIX and ALT_CONFIG_ROOT_ONLY makes this safe)
but what's reasons of drop privilegies when macros defined? It's
a branch of default config, and if I wrote it, I think that its
using is safe, isn't it?
> If you start Exim as root with -C of -D it does not drop root
> privileges. BUT, if Exim is re-executed, the -C or -D is passed on; in
> this case it is likely that the privilege will get dropped. This happens
> for local deliveries such as autoreply or re-running Exim via a pipe.
> There isn't any way round this.
IMHO options like MACROS_DROP_PRIVS and ALT_CONFIG_DROP_PRIVS
(on by default) in the Local/Makefile would be helpful.
(I understand that it's hard and discussable topic).
--
Lucky carrier,
Pavel.