On Tue, 2010-12-14 at 03:48 -0500, Phil Pennock wrote:
> On 2010-12-14 at 08:06 +0000, David Woodhouse wrote:
> > On Mon, 2010-12-13 at 18:01 -0500, Phil Pennock wrote:
> > >
> > > One of the installation modes for mailscanner is to make the spool
> > > directory be a macro:
> > >
> > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:exim:installation
> >
> > Wait a minute, wasn't that broken even *before* we started to further
> > restrict the use of -C and -D?
>
> No, because mailscanner runs as the Exim user, so is therefore trusted.
But this was for use by applications which are generating email that
needs to be scanned. It's not clear that *those* are trusted.
Anyway, the build-time list of macros which may be defined without
losing privs, with appropriate restrictions on the *content* of those
macros, ought to be fine. If you want to implement that, I have no
objections so it even though I'm not really convinced we *need* it.
--
dwmw2
