Wednesday Sep 13, 2006

exim and pam authetication meets privileges

For reasons that I will go into later the new home server is using exim for it's mail transport rather than the standard sendmail. I wanted to be able to authenticate users sending email using their login and password from the local password and shadow files. This is a snip with exim with the following in the exim.conf file:

plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if pam{$2:$3}{1}{0}}"
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $1

or so I thought. Since exim is security conscious it runs as it's own user and not as root so it is unable to read the /etc/shadow file so no matter what you enter as you login you can't. My quick solution to this was to give the exim daemon permission to read all files using privileges. So the start script now does:

ppriv -s PI+file_dac_read -e $DAEMON $EXIM_PARAMS

Which allows it to read any file on the system which is a risk but not as great a risk as having it run as root. I look forward to someone telling me a better way.


Tags:

About

This is the old blog of Chris Gerhard. It has mostly moved to http://chrisgerhard.wordpress.com

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today