On 2012-06-23 at 09:07 +0200, Andreas Metzler wrote: > After the the GnuTLS revamp it loooks like PKCS#11 modules are > suddenly (unnecessarily) autoloaded and fail due to SUID:
Note: the problem here isn't suid itself, but that environment variables passed through are no longer valid. If you find the two calls to gnutls_global_init() in tls-gnu.c and before them insert: rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); and one of: exim_gnutls_err_check(US"gnutls_pkcs11_init"); validate_check_rc(US"gnutls_pkcs11_init"); (it should be obvious which goes where, just stay consistent) then does that fix the problem? Per: http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs it appears that by default, GnuTLS will use autoload, but you can override it *before* the global init call. If this it the problem, we'll probably have to wrap this in a config option and default it to disabled, because I can see folks using server credentials stored in a PKCS11 module which they *do* want used, but it should be requested by the admin. So it's not always "unnecessarily", just in your case it is, and I think it's unnecessary unless explicitly requested. I don't think there's another decent solution, since the fact that environment variables are used *at all* is a module-specific fact. Exim deliberately preserves much of the environment. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
