Re: [exim-dev] Pipe transport run by user?

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Bryan Henderson
CC: exim-dev
Subject: Re: [exim-dev] Pipe transport run by user?
On Wed, 14 Sep 2005, Bryan Henderson wrote:

> I organized the email poorly. I mean the receiving process can
> inherit the socket (when the system starts up).


*The* socket? Note that Exim supports listening on multiple ports and
multiple interfaces (and also IPv6 and IPv4). In general, it uses a
number of sockets.

> I have a program called "socketexec" that simply binds a socket and
> then execs a named program with it as Standard Input.


Fine if you only want to use one socket.

> >Sorry, I can't follow that. What do you mean by "mail queue"? Exim has
> >its own queue which of course it must access. What am I missing?
>
> I could have chosen a better word. Mail spool, probably. E.g.
> /var/spool/mail/bryanh.


Aha! You mean what I call "the local mailboxes". I tend to think of "the
mail spool" as Exim's mail spool - i.e. its "queue" (which isn't really
a queue, of course).

> Run as a mail originator for locally bound mail (e.g. someone typing
> an "exim bryanh <mymessage" shell command), Exim usually wants to
> write to /var/spool/mail/bryanh (and probably some exim-owned files as
> well), and therefore wants to be setuid. But I'm claiming that it
> doesn't have to. It can instead make an SMTP connection to the local
> Exim daemon, which requires no privilege at all.


True, and it's trivial to configure it to do that:

router:
driver = accept
check_local_user
transport = transport

transport:
driver = smtp
hosts = 127.0.0.1
allow_localhost

But of course the configuration for the daemon must do something
different, to avoid looping forever.

As I say when I am running Exim courses, other MTAs have taken different
approaches to security issues as they have made a point of developing
alternative security scenarios as one of their "selling points". I am
not a security expert; I obviously wanted to write a secure MTA, but I
did not want to be experimenting with new security approaches. That is
why Exim operates more or less "traditionally", though it does use only
setuid() and not seteuid(), and it never runs as root when receiving or
delivering messages.

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book