Gene Heskett wrote: > > Ok, I'll fix that, thanks. > > >> That said, why give the saupdate user the ability to add keys at all? >> Import them as root and only give the saupdate user read access. >> > > Basically, since I run myself as root, I was trying to reduce the exposure. > All the rest of the routine mail handling here is by unpriviledged users. > And > it is all behind a dd-wrt firewall with NAT. > > True, but installing keys isn't something that should be routine. This should only be possible manually. i.e.: sa-update does not need to create or write to the key file to perform an update.
If you're concerned about exposure, it's really best that your automatic saupdate user not have rights over the key file, it doesn't need it.
