diff options
| author | Wojtek Kosior <koszko@koszko.org> | 2024-01-09 12:15:02 +0100 |
|---|---|---|
| committer | W. Kosior <koszko@koszko.org> | 2024-12-24 09:35:56 +0100 |
| commit | b40252147e2a490dc5bfe15d7b90330af784333d (patch) | |
| tree | 9727ab7195a25751c7de5a22210399c6dff14977 /gnu/local.mk | |
| parent | 859add8587bfa2056df60e93687374d088a1220f (diff) | |
| download | guix-b40252147e2a490dc5bfe15d7b90330af784333d.tar.gz guix-b40252147e2a490dc5bfe15d7b90330af784333d.zip | |
services: Support running Exim with setuid/setgid.
In a typical configuration, Exim binary is setuid root and the Exim daemon
process listens for connections under a non-root system account (usually
`exim`). Upon receiving a message, it forks into a child process which
re-executes the binary to regain privileges and deliver the mail to its
destination (e.g. a Maildir inside user's home directory).
Besides the setuid binary itself, such setup also requires the Exim
configuration file to live at the path Exim considers safe. It defaults to
/etc/exim.conf and changing it requires rebuilding the Exim daemon. If a
configuration at unsafe path is used instead, Exim drops its privileges before
reading it and becomes unable to perform certain kinds of email delivery.
* gnu/services/mail.scm (<exim-configuration>)[setuid-user]: New field.
(<exim-configuration>)[setgid-group]: New field.
(exim-computed-config-file): Delete variable.
(exim-shepherd-service)[start]: Use Exim's default config at /etc/exim.conf.
(exim-activation): Atomically put Exim's current config at /etc/exim.conf and
verify its syntactic correctness.
(exim-setuids): New variable.
(exim-service-type)[extensions]: Extend `setuid-program-service-type`.
Change-Id: Ie6153baac80180d3d48f6b5a6959895df06aef0b
Diffstat (limited to 'gnu/local.mk')
0 files changed, 0 insertions, 0 deletions