[exim] exim -bh and permissions

Top Page
Delete this message
Reply to this message
Author: T. Horsnell
Date:  
To: exim-users
Old-Topics: Re: [exim] need help with NIS
Subject: [exim] exim -bh and permissions
Firstly, Happy Retirement Phil, and thank you for a
great piece of software. And despite my flounderings       
(nis problems) I *do* read your excellent docs :).


My current headache is this:

I'm testing authorisation using exim -bh on a system which
uses /etc/shadow for its passwd source. That file is owned
by group 'shadowgroup' of which exim is a member, and is
group-readable.

auth_advertise_hosts is set such that non-lab ip addresses
will get AUTH PLAIN LOGIN advertised.

If I telnet into port 25 on the exim server from a non-lab host,
I can authenticate with a mimencoded string as expected.

If I run 'exim -bh ipaddr' (where ipaddr is that if the external
host above) and go through the same SMTP steps, the authentication
fails, and logs 'permission denied' for /etc/shadow. It doesnt matter
whether I run it as root or as a user (and presumably it shouldnt,
as it's suid-root anyway)

This is part of my attempt to investigate another problem, which may
be relevant. The check on /etc/shadow is done in the authenticators
section by:

fixed_plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_condition = ${if crypteq{$3}\
    {${extract{1}{:}{${lookup{$2}lsearch{/etc/shadow}{$value}}}}\
    }{yes}{no}}


Although this works (people successfully authenticate from offsite),
looking closely, I see that the 'extract' function is actually extracting
the wrong field, field-1, which is the userid field of /etc/shadow.
The docs say field numbering starts at 1, so this should be failing...

Any suggestions please?

Cheers,
Terry