Author: Sheldon Hearn Date: To: Philip Hazel CC: exim-users Subject: Re: [Exim] What to do about non-monitonic process ids
On (2003/01/31 10:29), Philip Hazel wrote:
> > Is this facility used anywhere else for constructing unique filenames?
> > In particular, is it used anywhere the filenames should be unpredictable?
>
> I don't think filenames need to be unpredictable in Exim.
So when Exim delivers a message locally into a Maildir format mailbox,
it takes care not to follow a symlink, yes? :-)
If not, then any local Maildir account-holder can overwrite any file on
the system for which group mail write access is available. This assumes
that /var/mail is 0770 root:mail, which is a common configuration.
At this point, a few readers are worried. O, ye of little faith!
Looking at appendfile.c, I see that Exim _does_ take care to avoid this.
The comments don't suggest that this was taken into consideration during
design.
Whether or not the issue _was_ considered during design, the point that
I'm trying to prove by example is that a 3rd-party auditor would have
to do a lot of work to prove that the use of unpredictable filenames in
Exim is not required. :-)
And one day, when you're no longer the (only) maintainer of the
software, someone's bound to make a mistake somewhere that'll have a
(hopefully still) large number of people wishing that someone way back
when had opted for unpredictable filenames. :-)
Ciao,
Sheldon.
PS: This put a smile on my face...
/* If we went round the loop 10 times, the directory was flickering in
and out of existence like someone in a malfunctioning Star Trek
transporter. */