[Dovecot] gdbhelper.c concerns

Jeff A. Earickson jaearick at colby.edu
Tue Jan 17 23:28:45 EET 2006


Timo,
    I was surprised to find both an execvp() and a system() call
in gdbhelper.c.  While gdbhelper should be running as an ordinary
user (the person running imap), I find it a bit scary.  I realize
that the code is getting ready to run gdb, which is god-knows-where
in the user's path.  But still...  Maybe the code should do a getuid() 
and/or geteuid() and refuse to run if the uid is zero.

Also, the code does the fork() *before* checking the argc count.
Maybe do it the other way around so the i_fatal is killing
one process instead of two.

Jeff Earickson
Colby College


More information about the dovecot mailing list