Autor: Bill Hacker Datum: CC: exim-users Betreff: Re: [exim] Uid used to access TLS-certificates
Tony Finch wrote:
> On Fri, 11 Feb 2005, Timo Neuvonen wrote:
>
>>Now user 'exim' seems to be used to read the certificate files.
>>Is there any way to make exim to read the certificates as root? Exim
>>executable is setuid to root, so it should be possible, I think.
>
>
> No: Exim doesn't read the certificate until the last possible moment, at
> which point it has thrown away all privilege. You can restrict readability
> of the certificate to the Exim user to hide it from other users.
>
> (It would probably be safer if Exim had an option to load the certificate
> at startup, and prompt for any passphrase; the cert would then be secure
> against compromise of the exim user.)
>
> Tony.
Hmmm.....
'What if'...
- The path to the cert was an SQL call (cert being stored in the DB)
AND
- the connecting IP was passed as part of the "SELECT ...."
Might that not provide both a means of storing an already unlocked cert
(somewhat) more securely
AND
- providing the cert that matched the domain the IP was assigned to in
multi hosting environments?