Re: [Exim] Conditionalize a router on file existance; effect…

Top Page
Delete this message
Reply to this message
Author: Harald Meland
Date:  
To: exim-users
Subject: Re: [Exim] Conditionalize a router on file existance; effective uid and NFS woes
[Sheldon Hearn]

> On (2003/08/05 14:18), Harald Meland wrote:
>
>> During delivery, the stat() function is run as root, but there is a
>> facility for checking the accessibility of a file by another
>> user. [...]
>>
>> , and that is not true. Exim _tries_ to do an ad-hoc-check of the
>> accessibility by another user, but the check is not *really* checking
>> the accessibility by another user; one should use
>> set[e]uid(2)+access(2) for that.
>
> Even access(2) is fallible. Given that it's not going to get the job
> right all the time, why go to all this extra effort anyway?


I was actually hoping that using access(2) instead of Exim's homegrown
route_check_access() would both a) reduce the amount of effort needed
and b) get the answer right in a few more cases, e.g. in the face of
file ACLs.

However, I was not aware of any deep security problem with using
access(2). If the problem is due to POSIX design mistakes, and hence
in practice unfixable, I concede that using access(2) would not be a
good idea.

> Other platforms have fallible access(2) implementations too.


If the security risk is due to fallible implementations, I think it
would be nice if Exim used access(2) on platforms with solid
implementations, and avoided it on other platforms.

I do see that this could be leading into a "what is a solid
implementation" discussion, and I don't really want to go there. :-)

> Note that I'm only advising againts waste of effort. I'm not
> arguing with the rest of your message, which points to what seems
> like a legitimate problem.


Phew, then it's not just me... :-)
--
Harald