[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

exim4: Permissions for mail spool, mail queue, configuration files, account and group names

[sent separately to exim-users and debian-devel]


recently, I stumbled over a minor configuration issue of exim 4, which
has led to major re-thinking of my permission concept. This has
managed to completely confuse me, and I will try to write things up to
get clarification, to learn what I did miss, and probably to discuss
things. My system is Debian GNU/Linux, so I have to worry about Debian
policy as well.

Debian status quo is as follows:

(1) Mail spool (/var/mail) is the place where user mailboxes are 
    stored. The directory should be root:mail 2775; the mailboxes 
    $USER:mail 660. MUAs run sgid mail to be able to create dot-locks 
    on the Mailboxes.
(2) exim's Mail queue (/var/spool/exim) is the place where exim stores
    queued messages, message logs and a bunch of hint databases. On
    Debian, directories in the mail queue are mail:mail 0750, files
    mail:mail 0640. This currently allows misbehaving MUA programs to
    read inside the mail queue which they are not supposed to.
(3) Logs go to /var/log/exim4 (mail:adm 2750).
(4) There is no policy about trusted and admin users for exim.
(5) Getting a statically allocated uid/gid for any package is quite 
    hard, so this must be avoided for the package.

What I'd like to have is a setup that satisfies the following

(A) Keep MUAs from reading inside the mail queue.
(B) Allow a group of admins.
(C) Allow a group of user accounts to be trusted.
(D) Generally: Keep different roles reasonably separated.

To have them satisfied, I think that the following changes to the exim
4 packages would be needed:

(a) Create a uid/gid for exim on installation of the package.
(b) chown mail queue to exim:exim and log directory to exim:adm
(c) Create a group "postmaster" (or should it be called mailadmin?) on
    package installation.
(d) Either declare admin_groups=postmaster or allow postmaster members
    to sudo to exim (which approach is preferable?)
(e) Create a group "exim_trusted" on package installation.
(f) Declare trusted_groups=exim_trusted.
(g) If exim should run without root privileges, exim_group needs to be
    mail to be able to write to mail spool. No problem with the mail
    queue here since the exim uid can write there.

These changes yield the following additional questions that are not
mentioned above:

(i)   in src/EDITME, does EXIM_USER=exim compile in the numeric UID of
      the exim account on the build system, or does it compile in the 
      string to be resolved to a numeric UID at run-time?
(ii)  If an admin-user only command line option is invoked by a 
      non-admin user, does exim give a dedicated return value, so that
      it would be possible to re-try the invocation with a sudo clause
      in a wrapper automagically?
(iii) Would it be enough to make the exim user member of the mail
      group in case of (g)? Or would that contradict the effort made
(iv)  Can I use the postmaster group? To me, that name sounds
      straightforward, but am I probably occupying a place in
      namespace I am not supposed to take?

Thanks for your consideration and the discussion. Am I over the top,
or are my thoughts reasonable?


-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29

Reply to: