Re: [exim] tls_privatekey mode 644 / root owned -- why is it…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJasen Betts at <-
MViktor Dukhovni at ->
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] tls_privatekey mode 644 / root owned -- why is it read only after privileges have been droppped ?
On 18/08/17 20:41, Patrick Pfeifer via Exim-users wrote:
> Anyhow, it could be
> arranged for the feature to only be effective for the opposite case
> (i.e. |tls_in_sni| NOT appearing in the main section’s tls_certificate
> option, couldn't it?

No. It can still depend on other external factors, due to an expansion
that doesn't happen to need SNI info. Such as the peer IP, as I
previously said.

And even if it didn't use any expansion, we do not want to expand
the attack surface by doing more work with root privs. As I
previously said.
--
Cheers,
Jeremy

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] local server accessRe: [exim] tls_privatekey mode 644 / root owned -- why is it read only after privileges have been droppped ?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)