Re: [Dbmail] running as non-root?

Sat, 23 Oct 2004 11:39:09 +0200 (CEST)
Dbmail should be started as root, where the effective user is set to a non-privileged user. Doing so will result in a single process running as root, with the forked children running as for instance user dbmail. The root process does *not* process any requests from clients and is therefor not subject to attack. Of course the child processes are subject to such threats, and *are* vulnerable to stack-smashing attacks. Starting the parent process as non-root will not remedy this situation. 


However, having dbmail.conf world-readable is *very* unwise. This will expose your whole maildatabase to all 
kinds of ugliness. Set dbmail.conf 0600, owned by the effective user set in dbmail.conf. And chown dbmail-smtp 
to the same user, with the suid bit set if you want regular users to be able to insert email through procmail.



Mikhail Ramendik wrote:

В сообщении от 22.10.2004 04:07 Matthew T. O'Connor пишет:



I only run dbmail as non root, feel much safer that way.  I'm not sure 
why you are having problems here are a couple of thoughts.  Are you 
launching as root, or is the effective user executing the programs?



When I start it as the effective user, it silently fails.

When I start it as root, it starts, and works fine, but is seen in top
as root.

 


Does that user have the required permissions to get to the dbmail.conf 
file? 



/etc/dbmail.conf is world readable.

However, it seems to be doing logging in /var/log/maillog, which is
olnly accessible to root. Perhaps I can somehow tell it to use another
log file? Anyway, can the failure to start be explained by no access to
the log file?

And: if you run it as non-root, how do you bind it to port 143? Or do
you also use a non-standard port?

Yours, Mikhail Ramendik



_______________________________________________
Dbmail mailing list
Dbmail@dbmail.org
https://mailman.fastxs.nl/mailman/listinfo/dbmail




--
  ________________________________________________________________
  Paul Stevens                                  mailto:[EMAIL PROTECTED]
  NET FACILITIES GROUP                     PGP: finger [EMAIL PROTECTED]
  The Netherlands________________________________http://www.nfg.nl






















					Reply via email to