Author: Jeremy Harris Date: To: exim-users Subject: Re: [exim] tls_privatekey mode 644 / root owned -- why is it read
only after privileges have been droppped ?
On 18/08/17 20:41, Patrick Pfeifer via Exim-users wrote: > Anyhow, it could be
> arranged for the feature to only be effective for the opposite case
> (i.e. |tls_in_sni| NOT appearing in the main section’s tls_certificate
> option, couldn't it?
No. It can still depend on other external factors, due to an expansion
that doesn't happen to need SNI info. Such as the peer IP, as I
previously said.
And even if it didn't use any expansion, we do not want to expand
the attack surface by doing more work with root privs. As I
previously said.
--
Cheers,
Jeremy