Re: [exim] sudo - iptables trick

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M\MTim Jackson at <-
MMMMarc Perkel at ->
Delete this message
Reply to this message
Author: Walt Reed
Date:  
To: Tim Jackson
CC: exim users
Subject: Re: [exim] sudo - iptables trick
On Sun, Apr 16, 2006 at 12:39:49PM +0100, Tim Jackson said:
> >It depends. Obviously if you have
> >
> >mail ALL=(root) NOPASSWD ALL
> >
> >then that's not a good idea, but if you restrict mail to running just
> >some wrapper scripts that invoke iptables appropriately, then it is
> >reasonably secure.
>
> Except that a compromise of "mail" means a root compromise. It's rather
> a shame to throw away all Exim's careful user-switching (to try to limit
> the effect of any compromise) just so you can do iptables rules.

I don't think the OP was suggesting using that line in sudoers as is - I
think the OP was suggesting that you NOT use that line, but configure
sudo to allow a very specific script to be run. In that case, it's
reasonably secure and does NOT necesarily mean a root compromise.



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] message-size condition doesn't workRe: [exim] message-size condition doesn't work->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)