Skip to content

exim and pam authetication meets privileges

September 13, 2006

For reasons that I will go into later the new home server is using exim for it’s mail transport rather than the standard sendmail. I wanted to be able to authenticate users sending email using their login and password from the local password and shadow files. This is a snip with exim with the following in the exim.conf file:

plain: driver = plaintext public_name = PLAIN server_condition = "${if pam{$2:$3}{1}{0}}" server_set_id = $2  login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = "${if pam{$1:$2}{1}{0}}" server_set_id = $1 

or so I thought. Since exim is security conscious it runs as it’s own user and not as root so it is unable to read the /etc/shadow file so no matter what you enter as you login you can’t. My quick solution to this was to give the exim daemon permission to read all files using privileges. So the start script now does:

ppriv -s PI+file_dac_read -e $DAEMON $EXIM_PARAMS 

Which allows it to read any file on the system which is a risk but not as great a risk as having it run as root. I look forward to someone telling me a better way.

Tags: topic:[solaris] topic:[home server]

From → Solaris

  1. Did you say that Exim is using PAM? Normally PAM applications require all privilege, but I can see why you’d not want it here. Just be careful how you configure PAM.
    Also, the choice between giving exim file_dac_read (meaning that secrets, like your host’s private ssh host keys) and giving the user it runs as read access to /etc/shadow isn’t great. Exim sounds like a great candidate for using embedded_su(1M).

  2. One way is to chgrp exim /etc/shadow; chmod g+r /etc/shadow, which gives the minimum necessary privilege to Exim. Or you can use the Cyrus saslauthd.

  3. Any reason you can’t create a standalone user repository (e.g., flat files or an LDAP server)? This would allow the MTA to read the repository as an unprivileged user, and would also allow you to use a chroot’ed environment. If your not completely set on using exim, postfix supports chroot() and several user credential repositories.
    – Ryan

  4. Changing the ownership, mode and or adding ACLs to the shadow file only gives a brief solution as the password command resets them.
    It looks like embeded SU will be the way to go if I want a single sign on solution or LDAP which just feels like overkill on a server for a family.

  5. So far you’ve been working towards the perfect ZFS solution, perfect Samba setup… don’t sacrifice it here. I bet you could have LDAP up and running in no time at all!

  6. Lewis,
    You are right. I don’t know what I was thinking.
    LDAP will be next.
    Now which server should I use?

  7. If you’re using embedded_su(1M) and pam_ldap(5) then you get LDAP support for free… Almost. The price is that pam_ldap(5) authenticates Unix users with LDAP, but your MTA may want to authenticate non-Unix users.

  8. My experience is limited to OpenLDAP, which has worked well. One feature I missed is multi-master which obviously the Sun and Red Hat servers support (I think they both share the Netscape code base) but I don’t think you’ll have any need for this on one server 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: