On Wed, Jul 16, 2003 at 09:05:07AM +1000, Craig Sanders wrote: > On Tue, Jul 15, 2003 at 11:22:02AM -0400, Noah L. Meyerhans wrote: > > On Wed, Jul 16, 2003 at 12:12:59AM +1000, Craig Sanders wrote: > > > while (AFAIK) there are no current exploits for exim, that is more by accident > > > or luck than by design - the monolithic mail daemon running as root design is > > > inherently insecure. > > OK, Craig, this statement betrays your ignorance. You clearly don't > > know enough about exim to make a significant contribution to this > > conversation. > > Exim *does not run as root*. OK? It starts as root to bind to port 25. > > Period. It then drops root privilages and runs as uid mail. Deliveries > > are not done as root, but as mail. > sorry, there is a profound difference between a) a huge program which runs as > root (dropping privs or changing uid as needed) and b) having small, easily > auditable separate processes for whatever root privs are required. Not to rain on a fellow exim detractor, but there's nothing inherently insurmountable about auditing the code paths in a monolithic program that run before privileges are dropped. Either architecture can be easily mucked up by someone making code changes that don't belong, whether the boundary between privileged and unprivileged code is a separate object file or a "Do not enter" sign in the source. -- Steve Langasek postmodern programmer
Attachment:
pgplIWjOQXUtF.pgp
Description: PGP signature