On Monday 20 Jul 2015 22:50:31 Walter Dnes wrote:
> On Mon, Jul 20, 2015 at 06:49:00PM +0100, Mick wrote
> 
> > This is all good and dandy, but letting user "nobody" read your
> > mail accoutn passwd may not be the safest approach to sending email
> > messages from your machine.
> 
>   I think you missed the point.  The "NOPASSWD:" option means that this
> one particular user "nobody" ***DOES NOT NEED THE ROOT PASSWORD*** to
> execute this one particular command which normally requires "root" level
> privileges.  I repeat, it has no need for the password.  

I have not missed the point you are raising.  My concern was that "nobody" is 
a user account without a login shell, to which you give access to a user file 
that has a login shell and in particular to a file that contains the email 
account passwd of that user.

Given that public servers and daemons often run as nobody:nogroup I would be 
cautious about this.  I do not have an exact script in mind which could 
potentially cause privilege escalation, but someone more skilled that I in the 
dark arts could well do.

-- 
Regards,
Mick