Closed racke closed 3 years ago
I also think the following condition in Sympa::Aliases::Template is not a good design pattern for a two step process (update alias file, newaliases program).
return 0
if lc Conf::get_robot_conf($list->{'domain'}, 'sendmail_aliases') eq
'none';
My suggestion would be to have one configuration parameter for each task.
See also #1009
I suggest we should cataloguing in which cases we really need to use the wrapper. For most cases we can probably recommend to use configure flags --disable-setuid_fcgi
and --disable-setuid_queue
.
Also now with the environment cleaned out in the alias wrapper we have the detrimental effect that SYMPALIB is not passed on. Thus sympa_newaliases.pl fails in a cpanm/locallib setup as the script doesn't find the needed Perl modules.
But we don't need the wrapper for Postfix or Exim if the permissions are set up correctly.
This is a follow up to #943. It is established security practice to only elevate privileges if really needed. Currently we always call the wrapper instead of the newaliases program, which is a bad idea.
Especially as the wrapper is usually not needed. With postfix you are usually running postmap. Exim can use plain text files, so it doesn't need any newaliases program.
So we could call the program directly (at least in the default configuration).
Does that make sense?