On 2010-07-31 at 18:11 +0400, tux2002@??? wrote:
> Good day!First sorry my English.I use exim-4.69. I run exim from user exim and primary group exim.Currently my exim binary file have exim:exim ownership and setuid and setgid.I mean that setuid is excess privelege. How about add functionality, when exim work with files in his spool with umask 007 for example, and newer chown file in his spool?I mean that allow do exim binary file only setgid.
> For example:1. User send email via mailx and via sgid exim binary,so spool file have 660 mode and user:exim ownership.exim can manage this file.2. Exim recieve email via smtp, so spool file have 660 mode and exim:exim ownership.exim can manage this file.3. For example: Exim is member of clamav group and put files into scan directory with mode 640 and exim:clamav ownership.
User-support questions belong on the exim-users list, please.
You should probably try to read section 52, "SECURITY CONSIDERATIONS",
of The Exim Specification. This was provided with Exim, as "spec.txt",
or can be found on
www.exim.org.
In particular (С благодарностью к Google Translate):
52.1 Building a more "hardened" Exim
52,1 Строительство более "закаленные" Exim
52.2 Root privilege
52,2 корневой привилегий
52.3 Running Exim without privilege
52,3 Запуск Exim без привилегий
С уважением,
-Phil
