On Sun, Apr 16, 2006 at 12:39:49PM +0100, Tim Jackson said: > >It depends. Obviously if you have > > > >mail ALL=(root) NOPASSWD ALL > > > >then that's not a good idea, but if you restrict mail to running just > >some wrapper scripts that invoke iptables appropriately, then it is > >reasonably secure. > > Except that a compromise of "mail" means a root compromise. It's rather > a shame to throw away all Exim's careful user-switching (to try to limit > the effect of any compromise) just so you can do iptables rules.
I don't think the OP was suggesting using that line in sudoers as is - I think the OP was suggesting that you NOT use that line, but configure sudo to allow a very specific script to be run. In that case, it's reasonably secure and does NOT necesarily mean a root compromise. -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
