Re: Exim permissions

To: debian-user@lists.debian.org
Subject: Re: Exim permissions
From: Derrick 'dman' Hudson <dman@dman.ddts.net>
Date: Sun, 1 Dec 2002 12:18:23 -0500
Message-id: <[🔎] 20021201171823.GE24259@dman.ddts.net>
Mail-followup-to: Derrick 'dman' Hudson <dman@dman.ddts.net>, debian-user@lists.debian.org
In-reply-to: <8765ue8z2d.fsf@rattler.some-dsl-address.sbcglobal.net>
References: <20021130171409.A1027@pigeon> <8765ue8z2d.fsf@rattler.some-dsl-address.sbcglobal.net>

On Sat, Nov 30, 2002 at 04:36:42PM -0600, Shyamal Prasad wrote:
|     "jah" == jah pigeon <Pigeon> writes:
| 
|     jah> BUT... /usr/sbin/exim is setuid root. Huh?
| 
| Exim probably uses the root permission for very, very few things (like
| opening port 25 when in daemon mode). It probably drops the root
| permission as one of the first things it ever does.

Yes.  It also needs to be root in order to setuid() to the local user
receiving a message prior to delivery.  It also needs to be root to
setuid() to the "mail user" for managing the spool (no other user has
read/write permissions on the files).

| I'm guessing here. I suspect exim is doing its best to avoid giving
| you any permissions you don't need by dropping root and becoming the
| real user as soon as and as much as it can.

exim does quite a few checks on user identities before it goes ahead
and allows any given task to be performed.

| Better still, use sudo and you will not have to do any C programming :-)

Sudo is very handy for things like this :-).


On Sat, Nov 30, 2002 at 10:28:24PM +0000, Pigeon wrote:
| On Sat, Nov 30, 2002 at 12:57:39PM -0600, John Hasler wrote:

| > You shouldn't have to.  Exim should have installed /etc/ppp/ip-up.d/exim,
| > containing:
| > 
| > #!/bin/sh
| > 
| > # Flush exim queue
| > if [ -x /usr/sbin/exim ]; then
| >         /usr/sbin/exim -qf
| > fi
| 
| Hmpf! It did 'n all. So this should be run automatically when I pon.
| Is there a time delay involved? Not knowing that this script had been
| installed, I've been running exim -qf manually immediately after I
| pon. So maybe I just haven't been giving it a chance.

First see if /usr/sbin/exim is executable.  If it isn't, then the
shell script above won't do anything.  Next check your exim log
(/var/log/exim/mainlog).  If you see messages about a queue run then
you know that exim processed the queue.  It's possible that there are
no messages to deliver or that they finished delivering before you
noticed exim had done anything.  The exim package also sets up a cron
job in /etc/cron.d/exim

    # Run queue every 15 minutes
    08,23,38,53 *     * * *     mail   if [ -x /usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi

You should also see messages in exim's log at about queue runs at
those times.

HTH,
-D

-- 
"...In the UNIX world, people tend to interpret `non-technical user' as
meaning someone who's only ever written one device driver."
    --Daniel Pead
 
http://dman.ddts.net/~dman/

Attachment: pgp95NtsV7AJu.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Exim permissions
  - From: Pigeon <jah.pigeon@ukonline.co.uk>

Prev by Date: Re: cfdisk revisited
Next by Date: Re: which is the best partition table format?
Previous by thread: Re: cfdisk revisited
Next by thread: Re: Exim permissions
Index(es):
- Date
- Thread