Autor: Kevin P. Fleming Data: Para: exim-dev Assunto: Re: [Exim-dev] Exim without root privileges
Yann Golanski wrote:
> Yuck! This is not a nice setup at all. It involves having yet another
> piece of software that can go wrong and adds complexity to the whole
> install.
Well, IMHO this not "another piece of software", given that an
Internet-connected MTA is likely already going to have
filtering/firewalling in place. In my view this is just one more command
to the firewall software, something the sysadmin would already have to
be able to manage. Yes, it does add a bit of complexity.
> Exim (*BSD land) does not need to run as root and that's good enough for
> me. If I really was that paranoid, I'd run it it a jail. Or I'd run
> _every_ service in jails.
I was not aware that Exim on *BSD could be run on port 25 without being
started as root. I believe (could be mistaken) that on Linux this
requires giving the process a special "capability" to open privileged
ports, which is not really better than just redirecting the inbound traffic.
> It is not a good idea to makes zillions of modules just in case one of
> them has a flaw. Spend making your code secure instead.
Agreed, in the larger sense. However, no code is perfect no matter how
hard the team tries. Given that, I'd want every program I have exposed
to the wild to be as safe as possible given that it _might_ have
previously unknown flaws. Certainly that can be done by putting it into
a virtual machine, or a tightly-controlled chroot jail, but that's far
more work than just setting it up to run as an unprivileged user in the
first place.
I'm certainly not suggesting that Exim be broken into modules to support
this "privileged LDA" method; I'm suggesting that since these external
entities _already exist_ (in my case Cyrus IMAP, but I'm sure there are
others) it would be nice to take advantage of that fact and compile out
any code from Exim that has anything to do with switching uid/gid and
other privileged operations.