Autor: Harald Meland Data: A: exim-users Assumpte: Re: [Exim] Conditionalize a router on file existance; effective uid
and NFS woes
[Sheldon Hearn]
> On (2003/08/05 14:18), Harald Meland wrote:
>
>> During delivery, the stat() function is run as root, but there is a
>> facility for checking the accessibility of a file by another
>> user. [...]
>>
>> , and that is not true. Exim _tries_ to do an ad-hoc-check of the
>> accessibility by another user, but the check is not *really* checking
>> the accessibility by another user; one should use
>> set[e]uid(2)+access(2) for that.
>
> Even access(2) is fallible. Given that it's not going to get the job
> right all the time, why go to all this extra effort anyway?
I was actually hoping that using access(2) instead of Exim's homegrown
route_check_access() would both a) reduce the amount of effort needed
and b) get the answer right in a few more cases, e.g. in the face of
file ACLs.
However, I was not aware of any deep security problem with using
access(2). If the problem is due to POSIX design mistakes, and hence
in practice unfixable, I concede that using access(2) would not be a
good idea.
> Other platforms have fallible access(2) implementations too.
If the security risk is due to fallible implementations, I think it
would be nice if Exim used access(2) on platforms with solid
implementations, and avoided it on other platforms.
I do see that this could be leading into a "what is a solid
implementation" discussion, and I don't really want to go there. :-)
> Note that I'm only advising againts waste of effort. I'm not
> arguing with the rest of your message, which points to what seems
> like a legitimate problem.