Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all,
I run fetchmail to download all my emails from remote mail server to my linux server. But every time when i run fetchmail -v i am getting a warning that
" Running as root is discouraged"
I just want to know whether it is unsecure to run fetchmail as root user.
Obviously, or you wouldn't get that message.
Quote:
Can anyone explain me the effects of running fetchmail as root.
Thanks in advance,
Dinesh.
Yes...the man page for Fetchmail can shed some light, as can Google. From the man page:
Code:
...could open a security hole, because they pass text manipulable by an attacker to a shell command. Potential shell characters are
replaced by '_' before execution. The hole is further reduced by the fact that fetchmail temporarily discards any suid privileges it
may have while running the MDA. For maximum safety, however, don't use an mda command containing %F or %T when fetchmail is run from
the root account itself.
Hi TB0ne,
Thanks for your reply. I will now change my fetchmail process to own by user other than root.
But still i cant understand the risks involved in running fetchmail as root clearly. But i will google for that.
Thank you again.
You can't?? Even after reading the piece from the man page I posted?
Think about it...fetchmail processes an email with a script attached. Again, reading the man page will explain things further, but if you're running as root, that script can do ANYTHING. Not running as root? It can't.
dinakumar12, You need to think of this in terms of "what if this were to happen". See this CVE regarding Fetchmail. It is an example where a bug allowed a user to execute arbitrary code with the privilege of the user that Fetchmail is executing as. If you are running as root, the attacker would have root access to your machine and the data on the machine would now be forfeit.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
