Tomas Telensky wrote:
>But, what I should say to the network security, is that AFAIK in the most
>of linux distributions the standard daemons (httpd, sendmail) are run as
>root! Having multi-user system or not! Why? For only listening to a port
><1024? Is there any elegant solution?
>
Yes, mos
On Tue, 24 Apr 2001, Tomas Telensky wrote:
>
> But, what I should say to the network security, is that AFAIK in the most
> of linux distributions the standard daemons (httpd, sendmail) are run as
> root! Having multi-user system or not! Why? For only listening to a port
> <1024? Is there any ele
Hello,
On Tue, 24 Apr 2001, Alan Cox wrote:
> > Now, in order for step 4 to be done safely, procmail should be running
> > as the user it's meant to deliver the mail for. for this to happen
> > sendmail needs to start it as that user in step 3 and to do that it
> > needs extra privs, above and b
> And get_mail must have elevated privileges to search for the users mail...
> or sendmail must have already switched user on reciept to put it in the
> users inbox which also requires privleges...
No. Think instead of blindly following existing implementation
socket(AF_UNIX, SOCK_STREAM
- Received message begins Here -
>
> > 1. email -> sendmail
> > 2. sendmail figures out what it has to do with it. turns out it's deliver
> ...
>
> > Now, in order for step 4 to be done safely, procmail should be running
> > as the user it's meant to deliver the mail for. for
On Tue, Apr 24, 2001 at 04:53:10PM +0100, Alan Cox wrote:
> > 1. email -> sendmail
> > 2. sendmail figures out what it has to do with it. turns out it's deliver
> ...
>
> > Now, in order for step 4 to be done safely, procmail should be running
> > as the user it's meant to deliver the mail for. f
> 1. email -> sendmail
> 2. sendmail figures out what it has to do with it. turns out it's deliver
...
> Now, in order for step 4 to be done safely, procmail should be running
> as the user it's meant to deliver the mail for. for this to happen
> sendmail needs to start it as that user in step 3
On Wed, 25 Apr 2001, CaT wrote:
> On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote:
> > > use port 2525 as SMTP port in your MTA. I've succeed to setup such a
> > > configuration.
> >
> > This requires you to ensure that your MTA is started first on that
> > port...Might be di
On Tue, Apr 24, 2001 at 03:59:28PM +0100, Alan Cox wrote:
> What is this gid mail crap ? You don't need priviledge. You get the mail by
> asking the daemon for it. procmail needs no priviledge either if it is done
> right.
>
> You just need to think about the security models in the right way. Lin
Tomas Telensky <[EMAIL PROTECTED]>
> On Tue, 24 Apr 2001, Alexander Viro wrote:
> > On Tue, 24 Apr 2001, Tomas Telensky wrote:
> >
> > > of linux distributions the standard daemons (httpd, sendmail) are run as
> > > root! Having multi-user system or not! Why? For only listening to a port
> > > <1
On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote:
> > use port 2525 as SMTP port in your MTA. I've succeed to setup such a
> > configuration.
>
> This requires you to ensure that your MTA is started first on that
> port...Might be difficult to achieve reliably in an automatic
On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote:
> On Tue, 24 Apr 2001, [iso-8859-2] Gábor Lénárt wrote:
> >
> > Or even without xinetd. Just use local port forwarding eg 2525 -> 25, and
>
> This is more like 25 -> 2525 :-)
OK, that was a hard night for me, I need some sle
> I've always found the root < 1024 to be quite limmited and find myself
> wishing I could assign permissions based on ip/port.
Its been done. Search for 'sockfs' I believe it was called.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL
> > Copying spool articles matching the peercred to the client does not
>
> Running procmail as the user who is to receive the email for local mail
> delivery as running it with gid mail (for eg) would allow one user to
> modify another's mail.
What is this gid mail crap ? You don't need pri
On Tue, 24 Apr 2001, Alan Cox wrote:
> > On Tue, 24 Apr 2001, Mohammad A. Haque wrote:
> > > Correct. <1024 requires root to bind to the port.
> > ... And nothing says that it should be done by daemon itself.
>
> Or that you shouldnt let inetd do it for you
> And that you shouldn't drop the capa
On Tue, Apr 24, 2001 at 03:37:34PM +0100, Alan Cox wrote:
> What role requires priviledge once the port is open ?
>
> DNS lookup does not
> Spooling to disk does not
> Accepting a connection from a client does not
> Doing peercred auth with a client does not
> Copyin
On Tue, 24 Apr 2001, [iso-8859-2] Gábor Lénárt wrote:
>
> Or even without xinetd. Just use local port forwarding eg 2525 -> 25, and
This is more like 25 -> 2525 :-)
> use port 2525 as SMTP port in your MTA. I've succeed to setup such a
> configuration.
This requires you to ensure that your
On Tue, 24 Apr 2001, Alan Cox wrote:
> > > It is possible to implement the entire mail system without anything running
> > > as root but xinetd.
> >
> > You want an MDA with elevated privileges, though...
^
> What role requires priviledge once the port is open ?
.forward hand
> > It is possible to implement the entire mail system without anything running
> > as root but xinetd.
>
> You want an MDA with elevated privileges, though...
What role requires priviledge once the port is open ?
DNS lookup does not
Spooling to disk does not
Accepting a
On Tue, Apr 24, 2001 at 03:18:11PM +0100, Alan Cox wrote:
> > On Tue, 24 Apr 2001, Mohammad A. Haque wrote:
> > > Correct. <1024 requires root to bind to the port.
> > ... And nothing says that it should be done by daemon itself.
>
> Or that you shouldnt let inetd do it for you
> And that you sho
On Tue, 24 Apr 2001, Alan Cox wrote:
> > On Tue, 24 Apr 2001, Mohammad A. Haque wrote:
> > > Correct. <1024 requires root to bind to the port.
> > ... And nothing says that it should be done by daemon itself.
>
> Or that you shouldnt let inetd do it for you
> And that you shouldn't drop the ca
> On Tue, 24 Apr 2001, Mohammad A. Haque wrote:
> > Correct. <1024 requires root to bind to the port.
> ... And nothing says that it should be done by daemon itself.
Or that you shouldnt let inetd do it for you
And that you shouldn't drop the capabilities except that bind
It is possible to imple
On Tue, 24 Apr 2001, Tomas Telensky wrote:
> Thanks for the comment. And why not just let it listen to 25 and then
> being run as uid=nobody, gid=mail?
Handling of .forward, for one thing. Or pipe aliases, or...
None of this stuff is unsolvable (e.g. handling of .forward belongs to
MDA, not M
On Tue, 24 Apr 2001, Alexander Viro wrote:
>
>
> On Tue, 24 Apr 2001, Tomas Telensky wrote:
>
> > of linux distributions the standard daemons (httpd, sendmail) are run as
> > root! Having multi-user system or not! Why? For only listening to a port
> > <1024? Is there any elegant solution?
>
On Tue, 24 Apr 2001, Mohammad A. Haque wrote:
> Correct. <1024 requires root to bind to the port.
... And nothing says that it should be done by daemon itself.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordom
On Tue, 24 Apr 2001, Tomas Telensky wrote:
> of linux distributions the standard daemons (httpd, sendmail) are run as
> root! Having multi-user system or not! Why? For only listening to a port
> <1024? Is there any elegant solution?
Sendmail is old. Consider it as a remnant of times when netwo
On Tue, 24 Apr 2001, Tomas Telensky wrote:
> :-) Great.
> You and Alex are right - I agree that this is a complete moronism.
>
> But, what I should say to the network security, is that AFAIK in the most
> of linux distributions the standard daemons (httpd, sendmail) are run as
> root! Having mult
>
> trustix.co.id? hehehe.
>
> If you don't want to login with user/password, then change your
> password to "". Don't want to even do that? Then just change
> /etc/inittab to invoke "login -f username" instead of mingetty or
> whatever. No need at all to hack the kernel up.
>
> Dunno why
On Tue, 24 Apr 2001 [EMAIL PROTECTED] wrote:
>a friend of my asked me on how to make linux easier to use
>for personal/casual win user.
>
>i found out that one of the big problem with linux and most
>other operating system is the multi-user thing.
>
>i think, no personal computer user should know
29 matches
Mail list logo
