Re: [Exim] TLS and root priv

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Tim Waugh
CC: exim-users
Subject: Re: [Exim] TLS and root priv
On Sat, 17 Feb 2001, Tim Waugh wrote:

> With exim running as user mail group mail, exim can't read the SSL
> certificate (only readable by root). To quote the reporter,


It is clearly documented that if you set an Exim uid/gid, it runs as
that user when receiving mail. It gives up all root privilege once the
daemon has bound to port 25. So if you want it to read certificate
files, they have to be readable by that user.

> "Would it be better to read the config, read certificates to memory
> first and than change uid/gid to specified in config."


Exim is flexible. The certificate required can vary, depending on the
connecting host (and anything else you like - day of the week,
whatever). So it would need to read all possible certificates that it
might ever require. I do not think this is sensible.

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.