On 2017-08-18 20:12, Jeremy Harris wrote:
First, you don't need to copy exim-dev as well as exim-users.
Devs will be reading both.
Ok. Sorry about the noise.
Exim does as little work as possible while in a privileged state, and
drops privs to do the rest. To regain privs it execs a new Exim.
Aha. Not in my setup though. (I see only one Exim process with UID
Debian-exim and I see no way that it could re-gain privs, although
root-owned, soes not have the suid bit set.)
The cert and privatekey files used can depend on information only
available immediately before they are needed (such as the remote IP).
As such they are only read at that time.
Aha. Well, that feature is putting some hurdle to the implementation of
my idea somehow. How is it activated?
Actually /all/ those certificates could / would then just need to be
read into memory (or a file descriptor to them acquired) early on, i.e.
as root. I imagine that it the number of keys is reasonably small for a
typical setup - but I have no clue about such setups actually (?).
Or would that already be too much of a security threat in your eyes as
well? ... Actually I would argue against it, as with the current setup
Exim has access to all key files anyway. ...
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
