On Wed, Jun 14, 2006 at 10:47:18AM +0100, Tony Finch said:
> On Wed, 14 Jun 2006, Stephen Gran wrote:
> >
> > iptables -t filter -A OUTPUT -m owner --uid-owner 0 -m state --state NEW --dport 25 -j ACCEPT
> >
> > If it is a root compromise, of course, you're screwed anyway, but a
> > simple push over of a php script running as a non-privileged httpd user
> > may not kill you in this case.
>
> Except that Marc explicitly wants his httpd user to be able to send email.
> I wonder if he lets his users install CGIs.
The rule above does nothing about sending through exim, it's on the
OUTPUT chain. I am assuming even Marc can now figure out how to make
exim make it's own decisions about these issues. I was answering
someone's other point that shell users can set up their own MTA rather
trivially and start sending spam directly, if exim won't relay for them.
And full ACK about user supplied cgi's - they are almost never worth the
hassle.
Sorry if it was unclear,
--
--------------------------------------------------------------------------
| Stephen Gran | Vitamin C deficiency is apauling. |
| steve@??? | |
| http://www.lobefin.net/~steve | |
--------------------------------------------------------------------------
