What is required is that delivery runs as the user the delivery is for when running custom programs via .forward or another mechanism. The rest of the mail transfer however does not need to run as root for this to be possible. For systems not requiring mail delivery to user programs then the mail delivery may well be set up to not require any special per-user privilegies, but then you will need special user-agent privilegies in order to access the mail spool, which practically limits this approach to POP/IMAP environments only as the varity of mail user-agents are much broader and most likely harder to secure than the mail delivery process... if any of the user-agents which has been given mail privilegies are insecure then your users will be able to mess around with each others email freely, and most likely mess around with other aspects your delivery agent as well. To do SMTP mail deliery securely the SMTP agent and mail delivery agent needs to be separated with a well defined and secure interface. Such a interface is not a terribly hard thing to define and can even be done in Sendmail if you like. The mail delivery agent is then responsible for assuming the identity of the user, and deliver the mail to him (spool file or via .forward), but does not know anything else than mail delivery to that user. -- Henrik Nordstrom Peter W wrote: > To protect users from each others' ~/.forward instructions, it is necessary, > as Wietse said, for the delivery agent to start with superuser privileges. > There are ways to make things a little bit safer, e.g. have the delivery > agent drop privileges to nobody:bobpipe (where only bob is a member of > bobpipe) instead of bob:users when running the ~/.forward command, but that > only protects bob from his own mistakes in ~/.forward and still leaves > the delivery agent starting out with superuser privs... > > -Peter
This archive was generated by hypermail 2b30 : Sat May 19 2001 - 18:53:57 PDT