Re: Exim permissions
On Sun, Dec 01, 2002 at 12:18:23PM -0500, Derrick 'dman' Hudson wrote:
> On Sat, Nov 30, 2002 at 04:36:42PM -0600, Shyamal Prasad wrote:
> | "jah" == jah pigeon <Pigeon> writes:
> |
> | jah> BUT... /usr/sbin/exim is setuid root. Huh?
> |
> | Exim probably uses the root permission for very, very few things (like
> | opening port 25 when in daemon mode). It probably drops the root
> | permission as one of the first things it ever does.
>
> Yes. It also needs to be root in order to setuid() to the local user
> receiving a message prior to delivery. It also needs to be root to
> setuid() to the "mail user" for managing the spool (no other user has
> read/write permissions on the files).
>
> | I'm guessing here. I suspect exim is doing its best to avoid giving
> | you any permissions you don't need by dropping root and becoming the
> | real user as soon as and as much as it can.
>
> exim does quite a few checks on user identities before it goes ahead
> and allows any given task to be performed.
>
> | Better still, use sudo and you will not have to do any C programming :-)
>
> Sudo is very handy for things like this :-).
OK, but I still don't quite understand why the "trusted user" bit
doesn't work. Maybe it would work if I put a setuid-setgid-8 wrapper
around the whole thing? I'd rather not though!
> On Sat, Nov 30, 2002 at 10:28:24PM +0000, Pigeon wrote:
> | On Sat, Nov 30, 2002 at 12:57:39PM -0600, John Hasler wrote:
>
> | > You shouldn't have to. Exim should have installed /etc/ppp/ip-up.d/exim,
> | > containing:
> | >
> | > #!/bin/sh
> | >
> | > # Flush exim queue
> | > if [ -x /usr/sbin/exim ]; then
> | > /usr/sbin/exim -qf
> | > fi
> |
> | Hmpf! It did 'n all. So this should be run automatically when I pon.
> | Is there a time delay involved? Not knowing that this script had been
> | installed, I've been running exim -qf manually immediately after I
> | pon. So maybe I just haven't been giving it a chance.
>
> First see if /usr/sbin/exim is executable. If it isn't, then the
> shell script above won't do anything. Next check your exim log
> (/var/log/exim/mainlog). If you see messages about a queue run then
> you know that exim processed the queue. It's possible that there are
> no messages to deliver or that they finished delivering before you
> noticed exim had done anything. The exim package also sets up a cron
> job in /etc/cron.d/exim
>
> # Run queue every 15 minutes
> 08,23,38,53 * * * * mail if [ -x /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi
>
> You should also see messages in exim's log at about queue runs at
> those times.
/usr/sbin/exim is indeed executable :-) Yeah, the cron job's working,
but the automatic-upon-pon bit isn't. I'm not really worried about
that per se, but it may be an indication of something subtly wrong
somewhere that may cause other problems.
Pigeon
Reply to: