On Mon, 8 Jan 2007, Josip Rodin wrote:
Restricting -d to trusted users has been the default for as long as I can remember. Tracking back old versions, I can confirm that it's been done since at least six years ago. It's a pretty sane default and changing it would be a mistake IMHO.
I agree that use with esmtp is a minority case. The one reason I think changing this default might be reasonable is precisely because maildrop is not shipped setuid root in Debian, so its behaviour when setuid root could arguably be looser.
In any case, I can just use procmail, as previously indicated. Not ideal (I switched from using procmail to maildrop because it is more user-friendly), but not disastrous either. I guess the procmail authors don't agree with the authors of maildrop!
One last security point: using esmtp rather than a full-blown MTA is a big security win anyway: no setuid binaries, and much less code in which to find security bugs. Most users don't want or need a full MTA anyway, and I think for these reasons it's nice to make it easier to avoid.
-- http://rrt.sc3d.org/ | competent, a. under-promoted -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
