[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exim4: Permissions for mail spool, mail queue, configuration files, account and group names

On Wed, Oct 29, 2003 at 07:46:02AM +0100, Marc Haber wrote:
> (a) Create a uid/gid for exim on installation of the package.

Yes sounds fine. The role of the exim group could be defined. Does exim need
the group if he runs as uid=exim? If net that group can be used as
mailadmin, which will also allow spool access automatically.

> (b) chown mail queue to exim:exim and log directory to exim:adm

Yes, very good, given the fact that gid mail is used by other subsystems.

> (c) Create a group "postmaster" (or should it be called mailadmin?) on
>     package installation.
> (d) Either declare admin_groups=postmaster or allow postmaster members
>     to sudo to exim (which approach is preferable?)

I would not do the sudo setting on package installation at all, and I am not
sure if we need to set up a trusted group. On small systems users will do
this as root, on larger systems or users with more understanding for exim
will add their own policy.

> (e) Create a group "exim_trusted" on package installation.
> (f) Declare trusted_groups=exim_trusted.

Not sure about this, also. This has nothing to do with the spool
permissions. I think this is also local policy.

> (ii)  If an admin-user only command line option is invoked by a 
>       non-admin user, does exim give a dedicated return value, so that
>       it would be possible to re-try the invocation with a sudo clause
>       in a wrapper automagically?

I would not do that, it is confusing. But a neat idea.

> (iv)  Can I use the postmaster group? To me, that name sounds
>       straightforward, but am I probably occupying a place in
>       namespace I am not supposed to take?

Well, I am not aware of any usage of it. I guess it is to simply pair up
with the postmaster uid.

  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to: