[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nss-mysql-users] exim and SMTP AUTH
From: |
Guillaume Morin |
Subject: |
Re: [Nss-mysql-users] exim and SMTP AUTH |
Date: |
Sat, 30 Nov 2002 17:39:50 +0100 |
User-agent: |
Mutt/1.4i |
Hi Marcin,
Dans un message du 26 nov à 1:40, Marcin Sochacki écrivait :
> 1) I wanted to enable SMTP AUTH in Exim, but this option requires some
> form of access to (encrypted) password. Unfortunately, in default
> configuration, exim is unable to open /etc/nss-mysql-root.conf, e.g.:
> Nov 26 00:39:50 sanus nss-mysql[3355]: Cannot open
> /etc/nss-mysql-root.conf configuration file: Permission denied.
> (euid=134566896, uid=134565744)
>
> I've tried to relax the permissions of that file to
> (0640,root.mail), but then another problem occured -- nss-mysql
> checks the file and refuses to work if the permissions seem unsafe.
That is normal. If exim needs to access the shadow database, it should run
as root. Well, there is this shadow group. The problem is that afaik it
is not a standard group so I am afraid to create a potential security
problem if I allow the shadow group to read nss-mysql-root.conf.
If you want, I can send you a simple patch which will allow you to use
the shadow group.
> 2) can I cache shadow information with nscd?
I don't think nscd caches shadow information. It would be very useful
since I do not know any programs which use getspent().
Furthermore, nscd seems to trigger very weird bugs. I now advise people
to drop it.
> 3) is it OK to use nscd, and have /etc/nss-mysql.conf mode 0600?
> I don't want my users browsing the database of accounts.
Yes you could do that. Well, if you authorize the nss user to read only
the necessary columns, users won't be able to get more information than
/etc/passwd.
> Is nscd stable enough so I can safely use it on a server with ~3000
> shell accounts? I've heard it sometimes dies unexpectedly -- is it a myth
> or truth?
See above.
> 4) euid=134566896, uid=134565744 -- are those large ids OK? I often find
> them in my syslog, with regard to nss-mysql.
Yes, that is bug. It is fixed in the CVS.
> 5) are there any tools available, which can be used to manage nss-mysql
> accounts via web/shell?
Not that I am aware of. But if you write some, please send them to me,
I'll include them in the distribution.
Regards,
--
Guillaume Morin <address@hidden>
Et si je suis bien que si j'ai bu, tant pis (Cornu)