On Wed, Jun 14, 2006 at 10:47:18AM +0100, Tony Finch said: > On Wed, 14 Jun 2006, Stephen Gran wrote: > > > > iptables -t filter -A OUTPUT -m owner --uid-owner 0 -m state --state NEW > > --dport 25 -j ACCEPT > > > > If it is a root compromise, of course, you're screwed anyway, but a > > simple push over of a php script running as a non-privileged httpd user > > may not kill you in this case. > > Except that Marc explicitly wants his httpd user to be able to send email. > I wonder if he lets his users install CGIs.
The rule above does nothing about sending through exim, it's on the OUTPUT chain. I am assuming even Marc can now figure out how to make exim make it's own decisions about these issues. I was answering someone's other point that shell users can set up their own MTA rather trivially and start sending spam directly, if exim won't relay for them. And full ACK about user supplied cgi's - they are almost never worth the hassle. Sorry if it was unclear, -- -------------------------------------------------------------------------- | Stephen Gran | Vitamin C deficiency is apauling. | | [EMAIL PROTECTED] | | | http://www.lobefin.net/~steve | | -------------------------------------------------------------------------- -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
