Author: Graeme Fowler Date: To: exim-dev Subject: Re: [exim-dev] What user should ${run...} in config file run as?
On Mon, 2010-12-13 at 10:15 +0000, David Woodhouse wrote: > It will drop privs when run as a dæmon, and it *cannot* get them back.
That's what I was expecting.
> It doesn't work like that. You cannot *gain* root privs; you can only
> give them away if your process was started with them.
>
> So what it does is fork and exec a *new* Exim process to do the
> delivery. That version of Exim doesn't drop privs.
Aha, now my poor little dumb brain understands: the "missing link", as
it stands, is the setuid bit on the Exim binary.
Now... again, poor little dumb brain time again: Why do we need Exim to
be setuid root? Presumably this is so it can change user when invoked to
do local deliveries as the right user (amongst myriad other things).
To cut to the chase (I hope I'm not really as dumb as I make out): are
we looking at a significant architectural change here, really? It
strikes me that having a single binary responsible for everything is a
bit of a limiting factor in terms of risk management, especially given
the setuid nature of the installation. If we separated out the local
delivery process (for example) to be a binary in and of itself then the
potential for exploitation is reduced.
