Re: [Exim] Exim and IBM DB2

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Sheldon Hearn
CC: Sean Witham, Exim Users Mailing List
Subject: Re: [Exim] Exim and IBM DB2
On Wed, 19 Dec 2001, Sheldon Hearn wrote:

> Actually, Exim's invulnerability to abuse of its setuid privelege isn't
> hard to prove. There's not that much code to audit between program
> execution and setuid()/setgid() time.


Sorry, Sheldon, but I'm afraid that's not true. An Exim delivery process
retains privilege until after it has done local deliveries. Each local
delivery is done in a subprocess which throws away privilege, but the
controlling process retains privilege.

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.