Re: [Exim] PAM on Linux

Top Page
Delete this message
Reply to this message
Author: Bruce Richardson
Date:  
To: exim-users
Subject: Re: [Exim] PAM on Linux
On Thu, Jul 08, 2004 at 02:53:12PM +0200, Norman H. Azadian wrote:
> For exim3, FAQ 0037 says that PAM under Linux has a problem and that the
> fix involves patching the source. In the exim4 FAQ this is Q0029.
> According to this URL:
>
>       http://jeremy.zawodny.com/blog/archives/000453.html

>
> the solution is as simple as inserting the lines
>
>     exim_user=mail
>     exim_group=shadow

>
> in /etc/exim/exim.conf. It worked for me, so if it works for others too
> then perhaps the FAQsw should be updated, and maybe the documentation as
> well. I'm running Debian with exim3.36.


It works but it's a huge security hole. Exim is intended to run as a
non-priveleged user for almost all of the time. What you are proposing
to do is have it have privileged access to crucial security information
*all* of the time, simply for the purposes of authentication (which exim
will only spend a tiny part of it's total time doing). The result is
that a successful compromise of the Exim system can give someone direct
access to the system passwords.

--
Bruce

I unfortunately do not know how to turn cheese into gold.