Philip,
I am inclined to say limit it to root only. Anyone else shouldn't have
a use for this option. I could give out additional info that is not needed
by a normal user. But I am paranoid as hell.
Later,
Brian
----- Original Message -----
From: "Philip Hazel" <ph10@???>
To: <exim-users@???>
Sent: Friday, September 29, 2000 10:56 AM
Subject: [Exim] Configuration data that is sensitive
> It was pointed out recently that the -bP option in Exim (which shows the
> setting of one or more options) was rather more open that it should be,
> because options like mysql_servers can contain authentication
> information. I've just had a think about this. There are two possible
> approaches:
>
> (1) Just restrict the use of -bP to admin users. This is the easy thing
> to do. However, it seems a bit heavy handed.
>
> (2) Invent a notional flag that is set for certain options, restricting
> them to admin users only. This is not a huge amount of work, and I think
> there are only a few such options:
>
> mysql_servers
> pgsql_servers
> all the query or queries options, because they can contain
> password information in LDAP queries
> server_secret in authenticators
> server_condition in authenticators, because it might have an inline
> password
> client_secret in authenticators
> client_send in authenticators
>
> Does anyone have any views? I'm inclined to do (2).
>
> --
> Philip Hazel University of Cambridge Computing Service,
> ph10@??? Cambridge, England. Phone: +44 1223 334714.
>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at
http://www.exim.org/ ##
>
>
