mailing list archives
Re: Mail delivery privileges
From: Henrik Nordstrom <hno () hem passagen se>
Date: Sat, 19 May 2001 22:10:46 +0200
What is required is that delivery runs as the user the delivery is for
when running custom programs via .forward or another mechanism. The rest
of the mail transfer however does not need to run as root for this to be
For systems not requiring mail delivery to user programs then the mail
delivery may well be set up to not require any special per-user
privilegies, but then you will need special user-agent privilegies in
order to access the mail spool, which practically limits this approach
to POP/IMAP environments only as the varity of mail user-agents are much
broader and most likely harder to secure than the mail delivery
process... if any of the user-agents which has been given mail
privilegies are insecure then your users will be able to mess around
with each others email freely, and most likely mess around with other
aspects your delivery agent as well.
To do SMTP mail deliery securely the SMTP agent and mail delivery agent
needs to be separated with a well defined and secure interface. Such a
interface is not a terribly hard thing to define and can even be done in
Sendmail if you like. The mail delivery agent is then responsible for
assuming the identity of the user, and deliver the mail to him (spool
file or via .forward), but does not know anything else than mail
delivery to that user.
Peter W wrote:
To protect users from each others' ~/.forward instructions, it is necessary,
as Wietse said, for the delivery agent to start with superuser privileges.
There are ways to make things a little bit safer, e.g. have the delivery
agent drop privileges to nobody:bobpipe (where only bob is a member of
bobpipe) instead of bob:users when running the ~/.forward command, but that
only protects bob from his own mistakes in ~/.forward and still leaves
the delivery agent starting out with superuser privs...