Re: Exim and right permissions for execution of a perl script

[Brian Candler <B.Candler at pobox.com>]

On Thu, Aug 22, 2002 at 09:22:47AM +0300, Patrick J Okui wrote:
> yep.. the lack of the +x was a typho... (nothing a good night's sleep
> and a glass of milk couldn't cure :-) )... the sig13 was because the
> script would die early when it tried to access any directory below
> db_suite!

OK, that's a good start. All you need to do is find out exactly what uid/gid
the scripts is actually being run as, to find out why it dies.

> My question now is, is making the named.conf file as well as my namedb
> directory writable by the group (or user) exim the best way of doing
> this... or should I run the scripts suid named (in which case I should
> use /usr/bin/suidperl and it should be suid root?- or named??)??

I think you would rather have your name server files owned by 'bind' rather
than 'exim'!

I have a couple of suggestions you can try:

(1) Set up a separate aliases file for this purpose, with a separate router
in exim, and use the 'user=' and 'group=' settings to set the permissions
appropriately (in which case, you can run it as user or group 'bind')

(2) Use a C wrapper to start your program. Take the attached file, modify it
as appropriate, compile using
     gcc -Wall -o wrapper wrapper.c
Then you can make it suid bind and invoke it from your aliases file.

I haven't looked at what 'suidperl' can do, but a simple wrapper like this
is a pretty clean and safe way to do what you want. The downside is you have
to modify and recompile the wrapper for each different app you want to run
in this way.

Regards,

Brian.
#include <sys/types.h>
#include <unistd.h>

int main(void)
{
	char *ENV[] = {
		"PATH=/bin:/usr/bin",
		"HOME=/var/tmp",
		NULL
	};

	setgid(getegid());  /* copy effective ugid to real ugid */
	setuid(geteuid());
	chdir("/var/tmp");
	return execle("/usr/local/bin/testme","testme","arg1","arg2", NULL, ENV);
}
#!/bin/sh

id
echo "args: $ at "
echo "env:"
set