Re: [exim-dev] Pipe transport run by user?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Philip Hazel
Date:  
À: Bryan Henderson
CC: exim-dev
Sujet: Re: [exim-dev] Pipe transport run by user?
On Mon, 12 Sep 2005, Bryan Henderson wrote:

> Does Exim run the pipe transport only when running as a daemon, or
> does it also run it when invoked by a user to send mail? I know
> traditional Unix MTAs deliver mail locally without involving a daemon
> at all, but does Exim?


I may be wrong, but from the way you have worded your question, I think
you haven't quite understood the way Exim works. *All* the daemon does
is (a) to listen for incoming connections and fork another process for
each one and (b) start queue runner processes regularly. That's it. All
the work Exim does when receiving or delivering messages is done in
independent, short-lived processes.

Exim runs the pipe transport whenever it has to deliver a message that
is routed to a pipe transport. Like all deliveries, the transport is run
in a separate process that is setuid to something other than root. The
user can be specified on the transport or on the router (possibly
implicitly by check_local_user on the router).

> The reason I care is that I'm working on a modification to the pipe
> transport that causes the piped-to program to inherit environment
> variables normally (today, it starts the environment fresh with a
> dozen or so environment variables chosen by Exim and whatever you
> specify in transport options in exim.conf). On my system, there are
> many environment variables, which the Exim daemon inherits normally,
> that the piped-to program needs.


This won't, in general, work because a message sent locally does not
involve the daemon at all. Of course, if on your system nobody ever
sends message locally that may not matter to you. You also need to
consider what happens if a message cannot immediately be delivered. As
long as the next delivery happens from a queue runner started by the
daemon, it might work. But if, for example, the sysadmin prods it
manually, the environment may be different.

> But if the piped-to program runs with the benefit of Exim's setuid
> privileges, this is not good. It makes sense only if the program is
> invoked by the Exim daemon.


The piped-to program does not run with the setuid privilege. Indeed,
unless you change the default configuration, it won't run it as root
even if you ask it to (see never_users). But the program is not "invoked
by the Exim daemon", at least, not directly.

As an overriding thought, I am not at all sure that relying on
environment variables in this way is a good idea because it seems to me
to be very prone to things going wrong. Note also that Exim will tamper
with the settings of TMPDIR and TZ in the environment if it doesn't like
them. (There was a time when I wanted to clean out the environment on
entry to Exim, but that caused trouble with some of the things it
calls.)

I hope this helps.

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book