Re: [exim] sudo - iptables trick

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\MTom Kistner at <-
MMMWalt Reed at ->
Delete this message
Reply to this message
Author: Tim Jackson
Date:  
To: exim users
Subject: Re: [exim] sudo - iptables trick
John Hall wrote:

> On 4/15/06, W B Hacker <wbh@???> wrote:
>> John Hall wrote:

[non-interactively sudo'ing from exim to root to add iptables rules]

>>> See NOPASSWD in man sudoers.

>> I think I am beginning to see why some folks say Linux is no
>> more secure than Windows.....

That depends how you configure it. A machine running the most secure OS
in the world (whatever that is) isn't very secure if you set the
administrator password to "password". That's not a fault of the OS.

> It depends. Obviously if you have
>
> mail ALL=(root) NOPASSWD ALL
>
> then that's not a good idea, but if you restrict mail to running just
> some wrapper scripts that invoke iptables appropriately, then it is
> reasonably secure.

Except that a compromise of "mail" means a root compromise. It's rather
a shame to throw away all Exim's careful user-switching (to try to limit
the effect of any compromise) just so you can do iptables rules.

Marc, you'd be better off writing whatever you're dealing with (IP
addresses, hostnames, whatever) to a file (as the exim user) and then
have a cronjob run as root that comes round every couple of minutes,
reads from that file (with careful sanity checking/input validation) and
creates the appropriate iptables rules. That would be considerably more
secure. That way, the worst a "mail" user compromise can do is screw up
your iptables rules, not get a root shell.


Tim


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Re: spam_score_int signed or unsigned?Re: [exim] linefeeds in check_data acl->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)