Closed racke closed 3 years ago
racke
commented
4 years ago I also think the following condition in Sympa::Aliases::Template is not a good design pattern for a two step process (update alias file, newaliases program).
return 0
if lc Conf::get_robot_conf($list->{'domain'}, 'sendmail_aliases') eq
'none';My suggestion would be to have one configuration parameter for each task.
ikedas
commented
4 years ago See also #1009
racke
commented
3 years ago I suggest we should cataloguing in which cases we really need to use the wrapper. For most cases we can probably recommend to use configure flags --disable-setuid_fcgiand --disable-setuid_queue.
racke
commented
3 years ago Also now with the environment cleaned out in the alias wrapper we have the detrimental effect that SYMPALIB is not passed on. Thus sympa_newaliases.pl fails in a cpanm/locallib setup as the script doesn't find the needed Perl modules.
But we don't need the wrapper for Postfix or Exim if the permissions are set up correctly.
This is a follow up to #943. It is established security practice to only elevate privileges if really needed. Currently we always call the wrapper instead of the newaliases program, which is a bad idea.
Especially as the wrapper is usually not needed. With postfix you are usually running postmap. Exim can use plain text files, so it doesn't need any newaliases program.
So we could call the program directly (at least in the default configuration).
Does that make sense?