Re: [fetchmail-devel] timeout not working for TLS

[Matthias A. <mat...@gm...>]

Am 28.07.2010 19:04, schrieb R P Herrold:
> On Wed, 28 Jul 2010, Matthias Andree wrote:
> 
>> Don't. fetchmail in most modes suppresses writing core files 
>> with setrlimit(), to avoid passwords hitting the disk 
>> outside the .netrc or .fetchmailrc files.
> 
> goodness -- I recall reporting that matter to ESR and getting 
> the patch, probably a decade ago

Hi there,

just for our edification, with grep & git gui blame, it took me only a couple of
seconds to figure this out:

It's been 12 years minus 5 days that ESR committed this code to fetchmail.c:

>     /*
>      * Before getting passwords, disable core dumps unless -v -d0 mode is on.
>      * Core dumps could otherwise contain passwords to be scavenged by a
>      * cracker.
>      */
>     if (outlevel < O_VERBOSE || run.poll_interval > 0)
>     {
>         struct rlimit corelimit;
>         corelimit.rlim_cur = 0;
>         corelimit.rlim_max = 0;
>         setrlimit(RLIMIT_CORE, &corelimit);
>     }

(I'm pasting from a future development branch that has lost the #ifdef
HAVE_SETRLIMIT guards.)

Now, after two repository conversions (CVS->SVN and SVN->Git),
we can still figure when he did that:

> commit 1587e4153763fab493acf2deee9028e24e1da57f
> Author: Eric S. Raymond <es...@th...>
> Date:   Sun Aug 2 16:30:25 1998 +0000
> 
>     Improved security.
> 
>     svn path=/trunk/; revision=2032

>From OLDNEWS:

> fetchmail-4.5.5 (Mon Aug  3 16:08:14 EDT 1998), 15286 lines:
...
> * Added setrlimit call to inhibit core dumps unless debugging is on.
...

This also states how Thomas can enable core dumps: always run with -vd0 (which
spams the logs or cron output quite a bit). I had - long ago - read there was
such code, but lacked the time to dig deeper earlier today.

Now that I got this pointer, here we go... :)

Best regards

-- 
Matthias Andree