Author: David Woodhouse Date: To: Phil Pennock CC: exim-dev, Yuri Arabadji Subject: Re: [exim-dev] potential exploitation vector
On Wed, 2010-11-03 at 23:35 -0400, Phil Pennock wrote: > On 2010-11-04 at 01:07 +0200, Yuri Arabadji wrote:
> > Hello, Phil.
> > Thanks for your time spent on replying to my message. Let me take another
> > portion of it ;)
> > The specific exim's build I'm using is deployed on many hosting servers across
> > the internet and it would be quite bad if this turns out to be an actual bug:
> > http://diff.cpanel.net/exim/4.69-23.1/src/exim-4.69-23.1_cpanel_maildir.src.rpm > >
> > EXIM_USER is mailnull. exim -bP exim_user outputs mailnull.
> > uid=47(mailnull) gid=47(mailnull) groups=47(mailnull)
> > Please see the attached traces and especially the line
> > "Let's see what UIDs we've got" in exim.daemon.log.
> > This is an almost unmodified CPanel exim installation. I'm attaching everything
> > relevant. It would be wonderful if you could explain what's going on there and
> > whether that is the expected behavior.
> You're quite right, I was mis-remembering the defaults of Exim. My
> We should probably look at changing the default value of
If we're doing a 4.73 release with a bunch of privsep issues addressed,
this should probably be one of them. Is there a bug open for it?
This message was posted to the following mailing lists: