On Mon, 26 Mar 2001, Mark Devin wrote: > I would like to make fetchmail run as a user rather than root when run > via my /etc/ppp/ip-up.d/fetchmail-up script You should consider the possibility of trying that using the fetchmail from unstable. It is safer... (speaking as the maintainer for fetchmail). > Make a home directory for user mail - /home/mail > set the owner and group for this directory to "mail" > chown mail /usr/bin/fetchmail chgrp mail /usr/bin/fetchmail > chmod 4755 /usr/bin/fetchmail There are much easier ways. The one that strikes me as good for root is to run su mail /usr/bin/fetchmail You can even have fetchmail as the default shell for user mail, and call su mail - I think. man su will tell you more. In most PAM configurations, root can su to another user without any sort of autentication checks. OR, you could simply have cron calling fetchmail for user mail... > I wanted to do it this way 'cause I thought it would be more secure - ie > less things running as root the better. But I guess its not possible to > be cracked via fetchmail since it doesn't accept connections, it makes > them itself. I've never heard of anyone cracking fetchmail, but it is NOT crack-proof, and I think there are some potential buffer overflows in the code (there were in the past). An hostile server could attack fetchmail. If fetchmail is running as root, this _could_ lead to root compromise. > Any ideas 'cause it would be useful to know how to do it anyway. Do keep in mind that if you run fetchmail as user 'mail', it cannot change uid to deliver mail as it would were it root. This does not make it impossible to do what you want, it is just something you have to take into account. I'll play around with the idea and maybe even add something like that to Debian's default fetchmail package. No promisses, though. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Attachment:
pgp3OXcr_ONyA.pgp
Description: PGP signature