Lähettäjä: Timo Neuvonen Päiväys: Vastaanottaja: exim-users Aihe: [exim] Re: Uid used to access TLS-certificates
> Actually, Exim (strictly) doesn't read the certificate at all; it just > passes the name of the file to the OpenSSH or GnuTLS library. It does
> this when it initializes the library. The library then chooses when to
> read the file. The library is initialized when the client issues
> STARTTLS. I suppose it could be initialized earlier, on spec, but that
> doesn't sound all that helpful.
> I really shouldn't even think about tring to guide you how to write
software, but...
A workaround might be making a temporary working copies of the files at the
time of startup, when root privilegies are available, and granting 'exim'
user the access rights to the files thereafter. So these temporary files
could then be passed to the library. But I just don't know if it increased
security by any means, since there would be temporary copies of key and
certificate files hanging around the filesystem. If they could be just
pointers to some memory area allocated to exim, then things maybe were
different -then there would be no real file.