Bug#318039: Needs to run as root with X
Andrew Buckeridge
Andrew Buckeridge <andrewb@ab.bgc.com.au>, 318039@bugs.debian.org
Wed, 13 Jul 2005 10:15:32 +0800
package: eximon4
version: 4.50-8
In Debian eximon has to run as root, but Xing to root is probably not a
good idea. Having log and spool directories readable by user or group
then eximon will sought of work. Without access to the spool files
eximon.bin says "can't read spool file", but is still useful.
The eximon script could use newgrp or eximon.bin could be setgid.
The spool directory would then need to be matching group, but then
content scanners (such as clamav-daemon) would also need group access.
In /etc/group:
adm:x:4:clamav
OR
Debian-exim:x:110:clamav
The question is do you make it group adm or group Debian-exim?
I would make both log and spool group Debian-exim and the script
invoke eximon.bin with sg Debian-exim.
For now I have just made world readable and kept groups the same thus
eximon needs no privilege escalation to half work. (For privacy spool
files are still not world readable.)
In /etc/clamav/clamd.conf:
AllowSupplementaryGroups
drwxr-xr-x 2 Debian-exim adm /var/log/exim4
drwxr-xr-x 2 Debian-exim Debian-exim /var/spool/exim4/input/
In line 8 of /etc/logrotate.d/exim4-base:
create 644 Debian-exim adm
An annoyance when I X to root via ssh as can't always set argv[0] when
starting eximon.
The file is always called eximon and the script just puts .bin on the
end and looks elsewhere. Wouldn't it be simpler to just put the literal
path to the binary?
I have changed line 3 in file /usr/sbin/eximon:
EXIMON_BINARY=/usr/lib/exim4/eximon.bin
--
\|/ ____ \|/
"@'/ .. \`@"
/_| \__/ |_\
\__U_/
6279EACE 2004-04-23 Andrew Buckeridge <andrewb@bgc.com.au>