Re: exim4: Permissions for mail spool, mail queue, configuration files, account and group names

To: debian-devel@lists.debian.org
Subject: Re: exim4: Permissions for mail spool, mail queue, configuration files, account and group names
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Wed, 29 Oct 2003 10:52:19 +0100
Message-id: <[🔎] 20031029095219.GA6075@lina.inka.de>
In-reply-to: <[🔎] E1AEk5i-0000N1-00@q.bofh.de>
References: <[🔎] E1AEk5i-0000N1-00@q.bofh.de>

On Wed, Oct 29, 2003 at 07:46:02AM +0100, Marc Haber wrote:
> (a) Create a uid/gid for exim on installation of the package.

Yes sounds fine. The role of the exim group could be defined. Does exim need
the group if he runs as uid=exim? If net that group can be used as
mailadmin, which will also allow spool access automatically.

> (b) chown mail queue to exim:exim and log directory to exim:adm

Yes, very good, given the fact that gid mail is used by other subsystems.

> (c) Create a group "postmaster" (or should it be called mailadmin?) on
>     package installation.
> (d) Either declare admin_groups=postmaster or allow postmaster members
>     to sudo to exim (which approach is preferable?)

I would not do the sudo setting on package installation at all, and I am not
sure if we need to set up a trusted group. On small systems users will do
this as root, on larger systems or users with more understanding for exim
will add their own policy.

> (e) Create a group "exim_trusted" on package installation.
> (f) Declare trusted_groups=exim_trusted.

Not sure about this, also. This has nothing to do with the spool
permissions. I think this is also local policy.

> (ii)  If an admin-user only command line option is invoked by a 
>       non-admin user, does exim give a dedicated return value, so that
>       it would be possible to re-try the invocation with a sudo clause
>       in a wrapper automagically?

I would not do that, it is confusing. But a neat idea.

> (iv)  Can I use the postmaster group? To me, that name sounds
>       straightforward, but am I probably occupying a place in
>       namespace I am not supposed to take?

Well, I am not aware of any usage of it. I guess it is to simply pair up
with the postmaster uid.

Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to:

Follow-Ups:
- Re: exim4: Permissions for mail spool, mail queue, configuration files, account and group names
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

References:
- exim4: Permissions for mail spool, mail queue, configuration files, account and group names
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

Prev by Date: Re: Brief descriptions in menu entries
Next by Date: Re: Bug#218080: ITP: wmpower -- a Window Maker dock application for Laptop power management
Previous by thread: exim4: Permissions for mail spool, mail queue, configuration files, account and group names
Next by thread: Re: exim4: Permissions for mail spool, mail queue, configuration files, account and group names
Index(es):
- Date
- Thread