Hi List,
On 13.12.2010 03:39, Ted Cooper wrote:
>>
>> Why are we invoking ${run...} directives in the config file as root? Why
>> aren't we doing it as the Exim user?
>
+1 from me
> That's a pretty good point. I can't think of a good reason why it
> shouldn't be run as exim user - even if someone needs a program run as
> root, it's trivial to write a setuid wrapper for it or use something
> like ${readsocket}
>
It would be even more consistent: As the daemon is run as exim user, a
administrator would even expect the programs called also to be run by
the same user.
> Of course it forces all programs being run to have all of their files
> owned by exim too (unless wrapped) or some group which makes them more
> tightly coupled. It does reduce the chances of being able to run
> something as root inadvertently though.
>
Well most of the programs I run are owned by root (not me ;-) ) and this
works pretty well. In contrast, I have to consider security issues in
more detail for programs owned by Debian-exim, because an non-root
attacker can at least overwrite them with harmful code.
> Is Exim being made less flexible and more difficult to use? Will this
> break some major users setup enough for them to switch away?
>
A config option to specify the user to run programs like this would
solve the questions: You can set it to default to the exim user which
will bring in the desired security enhancement. Users which cannot live
with this, can easily reconfigure to the old setting including the
higher security risks. As the old behavior can be restored, I don't
think that many users would switch away.
Just my 2 cent,
--
Patrick Cernko |
mailto:pcernko@mpi-sws.org
