[Dovecot] gdbhelper.c concerns
Jeff A. Earickson
jaearick at colby.edu
Tue Jan 17 23:28:45 EET 2006
Timo,
I was surprised to find both an execvp() and a system() call
in gdbhelper.c. While gdbhelper should be running as an ordinary
user (the person running imap), I find it a bit scary. I realize
that the code is getting ready to run gdb, which is god-knows-where
in the user's path. But still... Maybe the code should do a getuid()
and/or geteuid() and refuse to run if the uid is zero.
Also, the code does the fork() *before* checking the argc count.
Maybe do it the other way around so the i_fatal is killing
one process instead of two.
Jeff Earickson
Colby College
More information about the dovecot
mailing list