Author: Kevin P. Fleming Date: To: exim-dev Subject: [Exim-dev] Exim without root privileges
(Forgive me for starting a new thread, I couldn't see a way to reply to
anything via the mailman archives :-()
In reference to Nigel's post about security issues, I've been thinking
about another alternative: I think Exim should offer the ability to be
compiled into a version that _never_ uses root privileges at all.
Certainly this won't make Exim operate much differently than just not
giving it setuid root, but it could ease some people's concerns about
security flaws in Exim itself.
On my systems, the only thing Exim requires root privileges for is to
listen on port 25, and that is easily remedied by using iptables (on
Linux) to redirect port 25 to a hidden unprivileged port and have Exim
listen there. I'm sure that similar methods are available on *BSD,
Solaris and other OSes.
Given that many Exim users are beginning to use LDAs _other than_
mbox/maildir delivery, it seems that Exim needing root privilege will
become less important as time goes on. Even with the need for
mbox/maildir delivery, if I had to implement that I would be much more
comfortable having the LDA be a small, simple and not-Internet-visible
daemon that did nothing but local mail delivery. With this arrangement,
potential flaws in the Exim code become far less important, ask the risk
potential is greatly reduced.