From: OCNS Consulting (no email)
Date: Tue Apr 02 2002 - 09:13:32 EST
Securing Sendmail with Cyrus - Sanity Check:
I've configured sendmail 8.12.2, to "RunAsUser" user -> "cyrus" rather than
"root". Please look over the following "sendmail.cf" excerpts and directory
ownership and permissions. Do these configs make sense? Is this environment
Secure? What other recommendations are suggested?
.
.
.
# what user id do we assume for the majority of the processing?
O RunAsUser=cyrus
.
.
.
Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=EnvFromL/HdrFromL,
R=EnvToL/HdrToL,
U=root:cyrus, T=DNS/RFC822/X-Unix,
A=procmail -Y -a $h -d $u
.
.
.
##################################################
### Cyrus Mailer specification ###
##################################################
##### $Id: cyrus.m4,v 8.22 2000/09/02 17:46:43 ca Exp $ (Carnegie Mellon)
#####
Mcyrus, P=/usr/cyrus/bin/deliver, F=lsDFMnPqAh5@/:|, S=EnvFromL,
R=EnvToL/HdrToL,
U=cyrus:mail, T=DNS/RFC822/X-Unix,
A=deliver -e -m $h -- $u
Mcyrusbb, P=/usr/cyrus/bin/deliver, F=lsDFMnPu, S=EnvFromL,
R=EnvToL/HdrToL,
U=cyrus:mail, T=DNS/RFC822/X-Unix,
A=deliver -e -m $u
Mcyrus, P=[IPC], F=lsDFMnqA@/:|SmXz, E=\r\n,
S=EnvFromL, R=EnvToL/HdrToL, T=DNS/RFC822/X-Unix,
A=FILE /var/imap/socket/lmtp
.
.
.
Queue Directory permissions:
drwxrwx--- 2 cyrus mail 4096 Apr 1 09:17 clientmqueue
drwxr-x--- 4 cyrus mail 4096 Mar 25 16:31 imap
drwxr-x--- 3 cyrus mail 4096 Mar 26 08:57 imap-news
drwx------ 2 cyrus amavis 4096 Apr 1 13:57 mqamavis
drwx------ 2 root cyrus 4096 Dec 10 11:28 mqueue
I know that the above configuration works however, I'm specifically, curious
about
the "local mailer" -> "procmail" configuration. Is a potential security hole
created
by executing the local mailer as "root"?
Your assistance in this matter is appreciated - Thanks!
RB
|
|
|