[Vmail-discuss] Security note for exim and MySQL

Paul Warren pdw@xxxxxxxxxxxxx
Sun, 11 Nov 2001 21:09:35 +0000


On Sun, Nov 11, 2001 at 01:45:06PM -0600, Eric Renfro wrote:
> Just in case, I noticed from the documentation of vmail-sql, and
> exim's setup:
>  
> mysql_servers = host/user/pass
>  
> This alone, is insecure, and should be prepended with the hide
> directive to look more like:
>  
> hide mysql_servers = host/user/pass
>  
> This will hide that from even just running exim -bP, which any user
> could normally run, regardless if they have read access to the conf
> file of exim.

Good point - thanks for that.  Is this option a recent addition to exim?
Our 3.13 installation doesn't seem to support it.

Paul