I just said I posted to the list yesterday. I lied. I thought I had sent
this message to the list as well as to an individual. Apologies. As we
say in Cambridge, I plead incuria. Here is the message:
------------------------------------------------------------------------
I find it odd that people with these criticisms don't copy them to the
author of the program they are criticising to give him a chance to react
to them directly, before going public.
Exim contains bugs. Exim probably contains security exposures. I am only
a poor ex-MVS programmer struggling to come to terms with this
multi-headed hydra of an operating system called Unix. I am not a
security expert - my mind isn't devious enough :-) - but of course I'm
aware of security issues and try to do what I can to avoid them, and I'm
learning all the time.
I believe that some of the points in the message are to some extent
unfounded - as soon as somebody spots the text "seteuid" in a program it
seems to trigger an automatic strong negative reponse, for example - and
I wondered just what documentation was missing, since I do describe in
chapter 44 exactly how Exim uses setuid and seteuid. If someone would
care to let me know what documentation is expected, I will consider
writing it; if I don't know, I can't do it.
I will try to sort out any points that I think are valid, and do
something about them in due course.
One thing I will not do is engage in confrontational-style discussions
(aka flame wars). They are not productive and don't do my stress levels
any good.
Philip
--
Philip Hazel University Computing Service,
ph10@??? New Museums Site, Cambridge CB2 3QG,
P.Hazel@??? England. Phone: +44 1223 334714
