Re: [exim] exim4 needs CAP_SYS_RESOURCE?

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Marc Schiffbauer
CC: exim-users
Subject: Re: [exim] exim4 needs CAP_SYS_RESOURCE?
On Tue, 14 Sep 2004, Marc Schiffbauer wrote:

> > /* When started with root privilege, ensure that the limits on the number of
> > open files and the number of processes (where that is accessible) are    
> > sufficiently large, or are unset, in case Exim has been called from an      
> > environment where the limits are screwed down. Not all OS have the ability to
> > change some of these limits. */   

>
> Hm. Maybe thats the answer, thanks.
>
> So I think from a security point of view it woul not be wise to
> enhance the ACL to give exim permission to do this.
>
> I discovered that this allways happens, if apache uses the exim4
> binary.
>
> Question is: Can this behavior be disabled with some switch or
> config change? www-data is a trusted user already, so that seems not
> to be a solution...


Answer is: No.

This behaviour was added to Exim so that it would work when called from
a very restricted user environment. If you disable that behaviour (the
only way is to patch the source), you run the risk of Exim not being
able to do its job if it is called with very small limits to the
relevant resources.

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book