Re: [Exim] Does Exim have security problems?

Top Page
Delete this message
Reply to this message
Author: Michael Stevens
Date:  
To: exim-users
Subject: Re: [Exim] Does Exim have security problems?
On Tue, Aug 29, 2000 at 04:04:27PM +0200, Phil Pennock wrote:
> The only recent issue which comes to mind is that Sendmail, in common
> with a great number of other applications, was bitten by a Linux kernel
> bug, which allowed a malicious local user to manipulate the inherited
> capabilities such that a setuid program couldn't then drop its
> privileges. Sendmail didn't check the return value from the setuid()
> system call. That's a bug, but one which a _great_ many other programs
> made; it would be unfair (and for me hypocritical) for people to blame
> sendmail because of problems in the Linux kernel. (I'm sure that some
> of my old proglets didn't check the return from setuid() when root -
> none of those are in use today though).


I remember a recent-ish hole that let local users trash the alias file
(IIRC), but I can't recall a major security hole in sendmail for quite
some time.

I have entirely other reasons for avoiding sendmail :).

Michael.