Re: [exim] tls_privatekey mode 644 / root owned -- why is it…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Jeremy Harris
Datum:  
To: exim-users
Betreff: Re: [exim] tls_privatekey mode 644 / root owned -- why is it read only after privileges have been droppped ?
On 18/08/17 20:41, Patrick Pfeifer via Exim-users wrote:
> Anyhow, it could be
> arranged for the feature to only be effective for the opposite case
> (i.e. |tls_in_sni| NOT appearing in the main section’s tls_certificate
> option, couldn't it?


No. It can still depend on other external factors, due to an expansion
that doesn't happen to need SNI info. Such as the peer IP, as I
previously said.

And even if it didn't use any expansion, we do not want to expand
the attack surface by doing more work with root privs. As I
previously said.
--
Cheers,
Jeremy