On Mon, Feb 21, 2000 at 07:48:28PM -0600, Henri J. Schlereth wrote:
> Aside that I may have missed anything in the FAQ, and the man pages dont
> install unless I missed a step, why is this a security issue?
> What is the logic behind that and why then can I defeat it by
> having a .qmail that forwards to root on another system?
By allowing delivery to root directly, you would allow the running
of programs as root. Eg: by having a program invocation
in ~root/.qmail
By *forcing* root mail to ~alias/.qmail-root, qmail removes
the possibility of that occuring.
You could argue that root would be very careful in what
they put into their .qmail files. qmail's view is that the
temptation too easy and the risk too great.
> I have worked as a sysadmin for a while and have always gotten
> root mail alerts and notifications, when machines are down,
> when someone tries to crack in to a system all bells and
> alarms go off, email and pager messages to root.
Nothing stops that occuring with qmail. Simply put whatever
you want into ~alias/.qmail-root
It merely runs as the user alias rather than the user root.
You might, eg, have:
| send_to_pager 555151515
in ~alias/.qmail-root
Mark.
