Re: nobody/nogroup - ITP maildir-bulletin
On Wed, Oct 20, 1999 at 03:49:39PM +0200, Russell Coker wrote:
> I am about to develop a package which delivers email bulletins to Maildir
> mail users. This needs to be SUID root to deliver mail inside their home
> directories. I don't want to allow anyone to run it due to possible security
> problems. In the first site that it's being installed on (for Cap Gemini who
> paid for the development) Postfix is being configured to run external mail
> delivery programs as user "postnous", this user is in group "postnogr". The
> binary for bulletin delivery is of group "postnogr" and mode 4750 which makes
> it quite secure.
> For the Debian version should I use group/users such as postnogr and
> postnous? Or should I just use nobody/nogroup?
I don't think nobody is a good idea. If you break into one program run
as nobody, you break into them all... (not sure how/if this applies to
setuid root code).
Some with the group, especially as you seem to use it to
control access...
However, your description above leaves me slightly confused as
to what this program does. Here is my impression:
1. Your program is called from postfix as user:group postnous:postnogr.
2. It is setuid root, but only can be run from the postnogr group.
3. It manually delivers the message to Maildir.
Why is this better then allowing postfix to deliver the message?
--
Brian May <bam@snoopy.apana.org.au>
Reply to: