Paul J Stevens <[EMAIL PROTECTED]> said: > Aaron Stone wrote: >> I'd like to propose that for > 2.0, we have a system like mysql does for >> access control to the database. Especially if we are moving the tools to >> man.8, it might also make sense to setuid them, make the config file root >> read-only, and then use privilege flags in the database to determine if >> the user running the particular dbmail-* program has rights to view or >> modify the database in an administrative way. > > In debian dbmail-smtp is already setuid 'dbmail' and the config file is > owned by dbmail:dbmail, mode 640. That way anyone can inject messages > but only privileged users can manage users or access the data.
Oh, that's perfect then. So the next question is what steps would we want to take in the dbmail utilities to restrict access to add/modify/delete users, maintain the database, etc? Aaron
