On Monday 20 Jul 2015 22:50:31 Walter Dnes wrote: > On Mon, Jul 20, 2015 at 06:49:00PM +0100, Mick wrote > > > This is all good and dandy, but letting user "nobody" read your > > mail accoutn passwd may not be the safest approach to sending email > > messages from your machine. > > I think you missed the point. The "NOPASSWD:" option means that this > one particular user "nobody" ***DOES NOT NEED THE ROOT PASSWORD*** to > execute this one particular command which normally requires "root" level > privileges. I repeat, it has no need for the password.
I have not missed the point you are raising. My concern was that "nobody" is a user account without a login shell, to which you give access to a user file that has a login shell and in particular to a file that contains the email account passwd of that user. Given that public servers and daemons often run as nobody:nogroup I would be cautious about this. I do not have an exact script in mind which could potentially cause privilege escalation, but someone more skilled that I in the dark arts could well do. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
