Re: [Exim-dev] Exim without root privileges

Top Page
Delete this message
Reply to this message
Author: Yann Golanski
Date:  
To: Kevin P. Fleming
CC: exim-dev
Subject: Re: [Exim-dev] Exim without root privileges
Quoth Kevin P. Fleming on Wed, Mar 10, 2004 at 10:46:14 -0700
> On my systems, the only thing Exim requires root privileges for is to
> listen on port 25, and that is easily remedied by using iptables (on
> Linux) to redirect port 25 to a hidden unprivileged port and have Exim
> listen there. I'm sure that similar methods are available on *BSD,
> Solaris and other OSes.


Yuck! This is not a nice setup at all. It involves having yet another
piece of software that can go wrong and adds complexity to the whole
install.

Exim (*BSD land) does not need to run as root and that's good enough for
me. If I really was that paranoid, I'd run it it a jail. Or I'd run
_every_ service in jails.

> Given that many Exim users are beginning to use LDAs _other than_
> mbox/maildir delivery, it seems that Exim needing root privilege will
> become less important as time goes on. Even with the need for
> mbox/maildir delivery, if I had to implement that I would be much more
> comfortable having the LDA be a small, simple and not-Internet-visible
> daemon that did nothing but local mail delivery. With this arrangement,
> potential flaws in the Exim code become far less important, ask the risk
> potential is greatly reduced.


This is looking like the Qmail management system which is nice but
horribly inefficient.

It is not a good idea to makes zillions of modules just in case one of
them has a flaw. Spend making your code secure instead.

-- 
yann@???                  -=*=-                      www.kierun.org
    PGP:   009D 7287 C4A7 FD4F 1680  06E4 F751 7006 9DE2 6318