Re: [exim] tls_privatekey mode 644 / root owned -- why is it…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jeremy Harris
Date:  
À: exim-users
Sujet: Re: [exim] tls_privatekey mode 644 / root owned -- why is it read only after privileges have been droppped ?
On 18/08/17 20:41, Patrick Pfeifer via Exim-users wrote:
> Anyhow, it could be
> arranged for the feature to only be effective for the opposite case
> (i.e. |tls_in_sni| NOT appearing in the main section’s tls_certificate
> option, couldn't it?


No. It can still depend on other external factors, due to an expansion
that doesn't happen to need SNI info. Such as the peer IP, as I
previously said.

And even if it didn't use any expansion, we do not want to expand
the attack surface by doing more work with root privs. As I
previously said.
--
Cheers,
Jeremy