On Mon, 2010-12-13 at 10:41 +0000, Graeme Fowler wrote: > Now... again, poor little dumb brain time again: Why do we need Exim to > be setuid root? Presumably this is so it can change user when invoked to > do local deliveries as the right user (amongst myriad other things).
Yeah. There are plenty of other MTAs with a split process setup where only the *delivery* agent actually has root privileges. The *transport* program doesn't need them. The problem is that those are the fairly feature-poor MTAs. If you just need to specify the mbox/maildir/etc location and spawn a process as root to "append to this mailbox", then that's simple enough to split out. But Exim is far more capable than that, and can run Sieve and Exim filter files as the user in question, processing autoreply and more complex stuff. And the filters will expect to see certain variables which were set during the delivery process ($original_local_part etc.). But fundamentally, yes. Exim is keeping its root privs while it does all that 'generic' stuff, just so that it can later give them away by becoming the actual user it wants to deliver to. It would be an interesting exercise to see how much we could reduce what Exim does as root when setting up for a delivery run. If we could get to the point where it doesn't need to interpret the config at all, but is handed everything it needs for that specific delivery 'on a plate', then that might be interesting. Although of course if you pass it information by some other means you still have the question of why it should *trust* what it's being told... Given the versatility we have in message deliveries, even local delivery, I don't think it's massively practical to change the design. -- dwmw2 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
