On Mon, Sep 21, 2009 at 7:10 PM, Gerald Livingston <
gerald.lurker@sysmatrix.net> wrote:
> > Interesting. Perhaps it's setuid? Or perhaps there is a setting
> > somewhere else that instructs the MDA to setuid for it.
>
> -rwsr-xr-x 1 ecartis daemon 199880 2006-04-14
> 18:36 /usr/lib/ecartis/ecartis
>
> Is there a security reason that lurker is not setuid?
>
Well, err, yes. If the program is setuid you can run it as any user to take
action on the database. If you made lurker-index setuid, it would work too,
but then any user on the system could run lurker-index to put new mail into
your archive.
IMO the ecartis "solution" is an egregious hack.
Better is to find out how to tell your MDA which user to run as. It must be
possible since your MDA is running procmail as the target user. Find out how
it invokes procmail. That's how you want to invoke lurker.
(text/plain)