Hi,
I further developed my approach to allow running smtpd with fewer
privileges. This diff does two things:
- always run lmtp deliveries as SMTPD_USER. The change to mda_unpriv.c
is needed, because otherwise all mails would be delivered to
SMTPD_USER.
- add two internal flags NOPRIV and NEEDPRIV. NOPRIV can be configured
by the simple directive "no-priv". NEEDPRIV gets set on all delivery
methods / options requiring setuid() to run as the receipient user.
A configuration error is produced on any conflict betweed NEEDPRIV and
NOPRIV.
In case of a NOPRIV run smtpd will drop root privileges.
This will break .forward and alias filters.
The change to the lmtp delivery has benefits even without the second
change. With the second change my smtpd now runs without root
privileges.
The NEEDPRIV/NOPRIV options are meant to allow restricting of the
privileges of other delivery methods.
I am now looking for OKs on the first change to do unprivileged lmtp
deliveries and feedback on the general approach of the second change.
Christopher
--
http://gmerlin.de
OpenPGP: http://gmerlin.de/christopher.pub
CB07 DA40 B0B6 571D 35E2 0DEF 87E2 92A7 13E5 DEE1