>There are sites that do no local deliveries that are able to run Exim >setuid "exim" rather than setuid "root".
I've been giving a lot of thought to this too, because I use a lot less privilege on my systems than people conventionally do -- smaller setuid programs and Linux fine-grained capabilities -- and Exim stands out as the biggest, most complex user of root privilege in the system. Does it have to be setuid anything? It seems to me that the Exim executable is 3 things, at least the way I use it: 1) an SMTP server; 2) a mail originator; 3) an administrator for the SMTP server and mail queue. The SMTP server can just run as real 'exim' (no setuid), right? The piped-to transport program would be setuid so that it can make local deliveries. It can also handle forwarding, or .forward files can simply be world readable. It can inherit it's Port 25 socket. As a mail originator, Exim wants to directly access the mail queue for local deliveries, but it doesn't have to. It could take advantage of a setuid pipe transport program. Or that program could be executable only by 'exim' and the mail originator could do an SMTP connection to localhost. Is there a way today to configure Exim to do that (Use SMTP transport for locally originated locally bound mail, but local transport for SMTP originated locally bound mail)? Is there maybe some other simple SMTP client program that one could use with an MUE instead of Exim? As an administrator program, I think as worst case, a real superuser process could invoke the program, and that ought to let it do what it needs to do. >Exim hard-codes its configuration file, and then takes everything else >from there. I noticed, and I really appreciate that (along with the fact that one can choose a different config file at run time, with appropriate loss of setuid-based privilege). -- Bryan Henderson Phone 408-621-2000 San Jose, California -- ## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
