exim and pam authetication meets privileges

For reasons that I will go into later the new home server is using exim for it's mail transport rather than the standard sendmail. I wanted to be able to authenticate users sending email using their login and password from the local password and shadow files. This is a snip with exim with the following in the exim.conf file:

plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if pam{$2:$3}{1}{0}}"
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $1

or so I thought. Since exim is security conscious it runs as it's own user and not as root so it is unable to read the /etc/shadow file so no matter what you enter as you login you can't. My quick solution to this was to give the exim daemon permission to read all files using privileges. So the start script now does:

ppriv -s PI+file_dac_read -e $DAEMON $EXIM_PARAMS

Which allows it to read any file on the system which is a risk but not as great a risk as having it run as root. I look forward to someone telling me a better way.


Tags:

Comments:

Did you say that Exim is using PAM? Normally PAM applications require all privilege, but I can see why you'd not want it here. Just be careful how you configure PAM.

Also, the choice between giving exim file_dac_read (meaning that secrets, like your host's private ssh host keys) and giving the user it runs as read access to /etc/shadow isn't great. Exim sounds like a great candidate for using embedded_su(1M).

Posted by Nico on September 13, 2006 at 05:11 PM BST #

One way is to chgrp exim /etc/shadow; chmod g+r /etc/shadow, which gives the minimum necessary privilege to Exim. Or you can use the Cyrus saslauthd.

Posted by Tony Finch on September 13, 2006 at 05:14 PM BST #

Any reason you can't create a standalone user repository (e.g., flat files or an LDAP server)? This would allow the MTA to read the repository as an unprivileged user, and would also allow you to use a chroot'ed environment. If your not completely set on using exim, postfix supports chroot() and several user credential repositories. - Ryan

Posted by Matty on September 13, 2006 at 10:49 PM BST #

Changing the ownership, mode and or adding ACLs to the shadow file only gives a brief solution as the password command resets them.

It looks like embeded SU will be the way to go if I want a single sign on solution or LDAP which just feels like overkill on a server for a family.

Posted by Chris Gerhard on September 14, 2006 at 02:51 AM BST #

So far you've been working towards the perfect ZFS solution, perfect Samba setup... don't sacrifice it here. I bet you could have LDAP up and running in no time at all!

Posted by Lewis Thompson on September 14, 2006 at 02:34 PM BST #

Lewis,

You are right. I don't know what I was thinking.

LDAP will be next.

Now which server should I use?

Posted by Chris Gerhard on September 14, 2006 at 03:41 PM BST #

If you're using embedded_su(1M) and pam_ldap(5) then you get LDAP support for free... Almost. The price is that pam_ldap(5) authenticates Unix users with LDAP, but your MTA may want to authenticate non-Unix users.

Posted by Nico on September 14, 2006 at 05:43 PM BST #

My experience is limited to OpenLDAP, which has worked well. One feature I missed is multi-master which obviously the Sun and Red Hat servers support (I think they both share the Netscape code base) but I don't think you'll have any need for this on one server :)

Posted by Lewis Thompson on September 15, 2006 at 11:53 AM BST #

Post a Comment:
Comments are closed for this entry.
About

This is the old blog of Chris Gerhard. It has mostly moved to http://chrisgerhard.wordpress.com

Search

Archives
« May 2015
MonTueWedThuFriSatSun
    
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
       
Today