Author: W B Hacker Date: To: Marc Haber CC: exim-dev Subject: Re: [exim-dev] What user should ${run...} in config file run as?
Marc Haber wrote: > On Mon, Dec 13, 2010 at 03:01:16PM +0000, Dr Andrew C Aitchison wrote:
>> Is there a good reason not to leave these features out of the default
>> build and make them available only as a compile time option ?
>
> Distributors would end up with these features enabled in their
> packages, invalidating the security win for the vast majority of exim
> installations.
>
> Greetings
> Marc
>
Fair point. But AFAICS, it cuts both ways. Some such already had 'general
purpose' external guards, OpenBSD's noexec, nosuid mounts, to name one example.
And not all localization has been the same, either, AFAICS. Note diffs in the
Exim UID and GID at install time.
One trusts that in the usual thorough Exim manner, there exists a direct 'heads
up' channel to those known to be key players for the various OS'en/distros.
... if not ... etc...
Also looking forward to a general upgrade announcement with a larger helping of
'urgency sauce' than has been past practice...
That attack was a non-trivial exercise, and we should now expect more such
attempts going forward.