Re: Exim permissions

To: debian-user@lists.debian.org
Subject: Re: Exim permissions
From: Pigeon <jah.pigeon@ukonline.co.uk>
Date: Sun, 1 Dec 2002 22:02:56 +0000
Message-id: <[🔎] 20021201220256.A497@pigeon>
In-reply-to: <[🔎] 20021201171823.GE24259@dman.ddts.net>; from Derrick 'dman' Hudson on Sun, Dec 01, 2002 at 12:18:23PM -0500
References: <[🔎] 20021201171823.GE24259@dman.ddts.net>

On Sun, Dec 01, 2002 at 12:18:23PM -0500, Derrick 'dman' Hudson wrote:
> On Sat, Nov 30, 2002 at 04:36:42PM -0600, Shyamal Prasad wrote:
> |     "jah" == jah pigeon <Pigeon> writes:
> | 
> |     jah> BUT... /usr/sbin/exim is setuid root. Huh?
> | 
> | Exim probably uses the root permission for very, very few things (like
> | opening port 25 when in daemon mode). It probably drops the root
> | permission as one of the first things it ever does.
> 
> Yes.  It also needs to be root in order to setuid() to the local user
> receiving a message prior to delivery.  It also needs to be root to
> setuid() to the "mail user" for managing the spool (no other user has
> read/write permissions on the files).
> 
> | I'm guessing here. I suspect exim is doing its best to avoid giving
> | you any permissions you don't need by dropping root and becoming the
> | real user as soon as and as much as it can.
> 
> exim does quite a few checks on user identities before it goes ahead
> and allows any given task to be performed.
> 
> | Better still, use sudo and you will not have to do any C programming :-)
> 
> Sudo is very handy for things like this :-).

OK, but I still don't quite understand why the "trusted user" bit
doesn't work. Maybe it would work if I put a setuid-setgid-8 wrapper
around the whole thing? I'd rather not though! 

> On Sat, Nov 30, 2002 at 10:28:24PM +0000, Pigeon wrote:
> | On Sat, Nov 30, 2002 at 12:57:39PM -0600, John Hasler wrote:
> 
> | > You shouldn't have to.  Exim should have installed /etc/ppp/ip-up.d/exim,
> | > containing:
> | > 
> | > #!/bin/sh
> | > 
> | > # Flush exim queue
> | > if [ -x /usr/sbin/exim ]; then
> | >         /usr/sbin/exim -qf
> | > fi
> | 
> | Hmpf! It did 'n all. So this should be run automatically when I pon.
> | Is there a time delay involved? Not knowing that this script had been
> | installed, I've been running exim -qf manually immediately after I
> | pon. So maybe I just haven't been giving it a chance.
> 
> First see if /usr/sbin/exim is executable.  If it isn't, then the
> shell script above won't do anything.  Next check your exim log
> (/var/log/exim/mainlog).  If you see messages about a queue run then
> you know that exim processed the queue.  It's possible that there are
> no messages to deliver or that they finished delivering before you
> noticed exim had done anything.  The exim package also sets up a cron
> job in /etc/cron.d/exim
> 
>     # Run queue every 15 minutes
>     08,23,38,53 *     * * *     mail   if [ -x /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi
> 
> You should also see messages in exim's log at about queue runs at
> those times.

/usr/sbin/exim is indeed executable :-) Yeah, the cron job's working,
but the automatic-upon-pon bit isn't. I'm not really worried about
that per se, but it may be an indication of something subtly wrong
somewhere that may cause other problems.

Pigeon

Reply to:

Follow-Ups:
- Re: Exim permissions
  - From: Derrick 'dman' Hudson <dman@dman.ddts.net>

References:
- Re: Exim permissions
  - From: Derrick 'dman' Hudson <dman@dman.ddts.net>

Prev by Date: Re: USB Mouse Logitech Trackman
Next by Date: Re: IDE disks won't interoperate
Previous by thread: Re: Exim permissions
Next by thread: Re: Exim permissions
Index(es):
- Date
- Thread