Re: exim4: Permissions for mail spool, mail queue, configuration files, account and group names
On Wed, Oct 29, 2003 at 07:46:02AM +0100, Marc Haber wrote:
> (a) Create a uid/gid for exim on installation of the package.
Yes sounds fine. The role of the exim group could be defined. Does exim need
the group if he runs as uid=exim? If net that group can be used as
mailadmin, which will also allow spool access automatically.
> (b) chown mail queue to exim:exim and log directory to exim:adm
Yes, very good, given the fact that gid mail is used by other subsystems.
> (c) Create a group "postmaster" (or should it be called mailadmin?) on
> package installation.
> (d) Either declare admin_groups=postmaster or allow postmaster members
> to sudo to exim (which approach is preferable?)
I would not do the sudo setting on package installation at all, and I am not
sure if we need to set up a trusted group. On small systems users will do
this as root, on larger systems or users with more understanding for exim
will add their own policy.
> (e) Create a group "exim_trusted" on package installation.
> (f) Declare trusted_groups=exim_trusted.
Not sure about this, also. This has nothing to do with the spool
permissions. I think this is also local policy.
> (ii) If an admin-user only command line option is invoked by a
> non-admin user, does exim give a dedicated return value, so that
> it would be possible to re-try the invocation with a sudo clause
> in a wrapper automagically?
I would not do that, it is confusing. But a neat idea.
> (iv) Can I use the postmaster group? To me, that name sounds
> straightforward, but am I probably occupying a place in
> namespace I am not supposed to take?
Well, I am not aware of any usage of it. I guess it is to simply pair up
with the postmaster uid.
Bernd
--
(OO) -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Reply to: