Re: [exim] Uid used to access TLS-certificates

Top Page
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: Bill Hacker
CC: exim-users
Subject: Re: [exim] Uid used to access TLS-certificates
On Sat, 12 Feb 2005, Bill Hacker wrote:
>
> Might that not provide both a means of storing an already unlocked cert
> (somewhat) more securely


Why do you think it would be more secure? It's still readable by the exim
user.

BTW, by configuration contains:

CERTS    = /opt/dist/certs
DB    = /opt/exim/etc/db


PARAM    = ${lookup {$interface_address} cdb {DB/addrparams.cdb} }
NAME    = ${extract {name}{PARAM} {$value} {localhost} }


tls_certificate    = CERTS/server/NAME


(On reflection, my earlier suggestion of trying to restrict the
certificate readability to root is not sufficient, because a copy of it
would be available in running copies of Exim, recoverabe by any code
running as the exim user.)

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}