On 2012-06-23 at 09:07 +0200, Andreas Metzler wrote:
> After the the GnuTLS revamp it loooks like PKCS#11 modules are
> suddenly (unnecessarily) autoloaded and fail due to SUID:
Note: the problem here isn't suid itself, but that environment variables
passed through are no longer valid.
If you find the two calls to gnutls_global_init() in tls-gnu.c and
before them insert:
rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
and one of:
exim_gnutls_err_check(US"gnutls_pkcs11_init");
validate_check_rc(US"gnutls_pkcs11_init");
(it should be obvious which goes where, just stay consistent)
then does that fix the problem?
Per:
http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs
it appears that by default, GnuTLS will use autoload, but you can
override it *before* the global init call.
If this it the problem, we'll probably have to wrap this in a config
option and default it to disabled, because I can see folks using server
credentials stored in a PKCS11 module which they *do* want used, but it
should be requested by the admin. So it's not always "unnecessarily",
just in your case it is, and I think it's unnecessary unless explicitly
requested.
I don't think there's another decent solution, since the fact that
environment variables are used *at all* is a module-specific fact. Exim
deliberately preserves much of the environment.
