RE: Exim PAM SMTP Authentication, help!
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A long time ago, in a galaxy far, far way, someone said...
> But isn't that a bad thing(tm) ?
It can be.
> Surely you must be able to get a simple yes no on auth out of PAM with
> it rather doing things as root?
Sure, PAM works fine without exim running as root - I've had exim
authenticate off SQL databases via PAM, with exim running as the user
"mail".
But exim *must* run as root to be able to authenticate using the system
passwords in /etc/shadow. I know of no way around it, except for making
/etc/shadow world readable, which is even more dangerous than having exim
run as root.
There is another way to do it, but it requires knowledge of perl, exim
compiled with perl support, and a small program to handle the PAM
authentication.
You can skip the perl part if you can find a way to get exim run an
external program directly for authentication, but I don't know right off
hand if there's a way to do that.
> I'd prefer not running Exim as root to prevent any possible exploits ...
Understandable, but sometimes unavoidable.
- --
- ----------------------------------------------------------------------
Phil Brutsche pbrutsch@tux.creighton.edu
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE60zoV/ZTSZFDeHPwRAkNbAKCg/V8xnlyNmmDnzk3lp4CvYh3JIQCghog0
3B+SWFD91O1bE6clBSdpXDg=
=Rbax
-----END PGP SIGNATURE-----
Reply to: