I will have to test it out. Andrew, can you confirm this is proper ? -C <filelist> This option causes Exim to find the run time configuration file from the given list instead of from the list specified by the CONFIGURE_FILE compile-time setting. Usually, the list will consist of just a single file name, but it can be a colon-separated list of names. In this case, the first file that exists is used. Failure to open an existing file stopsExim from proceeding any further along the list, and an error is generated.
When this option is used by a caller other than root or theExim user, and the list is different from the compiled-in list, Exim gives up its root privilege immediately, and runs with the real and effective uid and gid set to those of the caller. However, if ALT_CONFIG_ROOT_ONLY is defined in Local/Makefile, root privilege is retained for -Conly if the caller of Exim is root. That is, the Exim user is no longer privileged in this regard. This build-time option is not set by default in theExim source distribution tarbundle. However, if you areusing a "packaged" version of Exim (source or binary), the packagers might have enabled it. Setting ALT_CONFIG_ROOT_ONLY locks out the possibility of testing a configuration using -C right through message reception and delivery, even if the caller is root. The reception works, but by that time, Exim is running as the Exim user, so when it re-executes to regain privilegefor the delivery, the use of -C causes privilege to be lost. However, root can test reception and delivery using two separate commands (one to put a message on the queue, using -odq, and another to do the delivery, using -M). If ALT_CONFIG_PREFIX is defined in Local/Makefile, it specifies a prefix string with which any file named in a -Ccommand line option must start. In addition, the file name must not contain the sequence /../. However, if the value of the -C option is identical to the value of CONFIGURE_FILE in Local/Makefile, Exim ignores -Cand proceeds as usual. There is no default setting forALT_CONFIG_PREFIX; when it is unset, any file name can be used with -C. ALT_CONFIG_PREFIX can be used to confine alternative configuration files to a directory to which only root has access. This prevents someone who has broken into the Exim account from running a privileged Exim with an arbitrary configuration file. The -C facility is useful for ensuring that configuration files are syntactically correct, but cannot be used for test deliveries, unless the caller is privileged, or unless it is an exotic configuration that does not require privilege. No check is made on the owner or group of the files specified by this option. -- Jeremy McSpadden Flux Labs | Endless Solutions Cell : 850-890-2543 | Fax : 850-254-2955 On Jan 29, 2013, at 11:21 AM, "Raymond Norton" <[email protected]<mailto:[email protected]>> wrote: (Ubuntu 12.04. Baruwa 2.0.0) I am still getting the following in my panic log: 2013-01-29 11:04:40 exim user lost privilege for using -C option This is what I have for /etc/sudoers.d/baruwa baruwa ALL=(exim4) NOPASSWD: /usr/sbin/exim4 -C /etc/exim4/exim4_out.conf -M *, \ /usr/sbin/exim4 -C /etc/exim4/exim4_out.conf -Mf *, \ /usr/sbin/exim4 -C /etc/exim4/exim4_out.conf -Mrm *, \ /usr/sbin/exim4 -C /etc/exim4/exim4_out.conf -Mg *, \ /usr/sbin/exim4 -C /etc/exim4/exim4_out.conf -Mar *, \ /usr/sbin/exim4 -C /etc/exim4/exim4_out.conf -qff, \ /usr/sbin/exim4 -Mrm *, \ /usr/sbin/exim4 -Mg *, \ /usr/sbin/exim4 -Mar * baruwa ALL = NOPASSWD: /bin/kill -s HUP * On 01/28/2013 10:37 AM, Jeremy McSpadden wrote: Make sure you've created the baruwa sudoers file. -- Jeremy McSpadden Flux Labs | Endless Solutions Cell : 850-890-2543 | Fax : 850-254-2955 On Jan 28, 2013, at 10:23 AM, "Raymond Norton" <[email protected]<mailto:[email protected]>> wrote: I am seeing the following errors in my exim mainlog: "exim user lost privilege for using -C option" Where should I look to fix this? Raymond _______________________________________________ Keep Baruwa FREE - http://pledgie.com/campaigns/12056 -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean. _______________________________________________ Keep Baruwa FREE - http://pledgie.com/campaigns/12056
_______________________________________________ Keep Baruwa FREE - http://pledgie.com/campaigns/12056
