[exim-dev] [Bug 2276] Exim triggers DAC_OVERRIDE when runnin…

Inizio della pagina
Delete this message
Reply to this message
Autore: admin
Data:  
To: exim-dev
Oggetto: [exim-dev] [Bug 2276] Exim triggers DAC_OVERRIDE when running on SELinux enabled system
https://bugs.exim.org/show_bug.cgi?id=2276

Phil Pennock <pdp@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX


--- Comment #5 from Phil Pennock <pdp@???> ---
Logs: if you change the permissions and build-time and use ACLs so that root
has permission to write, then there is no FS permission override, and no issue.

Spool: the default permission for files in the spool is set as SPOOL_MODE=0640.
They're writable by group Exim.

Solution 1: put user root into group Exim. Easy, fixed, done.
Solution 2: use ACLs again to give root permission to read anything created in
the spool input directory. More fragile, as that's a directory which Exim will
happily auto-create when missing.
Solution 3: disable the DAC enforcement.

Honestly, I'd use solution 1 for the spool, and once you have that the only
thing needed is to compile with LOG_MODE=0660 instead of the default 0640.

I'd forgotten about read access to -D for delivery as non-root. I'm much less
bothered by Exim choosing to open a file in read-only mode as root than I am
when Exim is opening a file to _write_ as root.

Closing this as wontfix because there is a sane solution available for use on
such systems, using traditional group membership and permissions, and Exim is
not misbehaving.

--
You are receiving this mail because:
You are on the CC list for the bug.