Re: [Exim] What to do about non-monitonic process ids

Top Page
Delete this message
Reply to this message
Author: Sheldon Hearn
Date:  
To: Philip Hazel
CC: exim-users
Subject: Re: [Exim] What to do about non-monitonic process ids
On (2003/01/31 10:29), Philip Hazel wrote:

> > Is this facility used anywhere else for constructing unique filenames?
> > In particular, is it used anywhere the filenames should be unpredictable?
>
> I don't think filenames need to be unpredictable in Exim.


So when Exim delivers a message locally into a Maildir format mailbox,
it takes care not to follow a symlink, yes? :-)

If not, then any local Maildir account-holder can overwrite any file on
the system for which group mail write access is available. This assumes
that /var/mail is 0770 root:mail, which is a common configuration.

At this point, a few readers are worried. O, ye of little faith!

Looking at appendfile.c, I see that Exim _does_ take care to avoid this.
The comments don't suggest that this was taken into consideration during
design.

Whether or not the issue _was_ considered during design, the point that
I'm trying to prove by example is that a 3rd-party auditor would have
to do a lot of work to prove that the use of unpredictable filenames in
Exim is not required. :-)

And one day, when you're no longer the (only) maintainer of the
software, someone's bound to make a mistake somewhere that'll have a
(hopefully still) large number of people wishing that someone way back
when had opted for unpredictable filenames. :-)

Ciao,
Sheldon.

PS: This put a smile on my face...

/* If we went round the loop 10 times, the directory was flickering in
and out of existence like someone in a malfunctioning Star Trek
transporter. */