<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><style xmlns="" type="text/css">
div.added { background-color: #ffff99; }
div.deleted { text-decoration: line-through;
background-color: #FF7F7F; }
div.changed { background-color: #99ff99; }
div.off { }
span.added { background-color: #ffff99; }
span.deleted { text-decoration: line-through;
background-color: #FF7F7F; }
span.changed { background-color: #99ff99; }
span.off { }
pre.literallayout {
background-color: #E8E8D0;
padding-left: 0.5cm;
padding-top: 5px;
padding-bottom: 5px;
}
div[class=changed] pre.literallayout {
background-color: #99ff99;
padding-left: 0.5cm;
padding-top: 5px;
padding-bottom: 5px;
}
div.literallayout {
background-color: #E8E8D0;
padding-left: 0.5cm;
padding-top: 5px;
padding-bottom: 5px;
}
div[class=changed] div.literallayout {
background-color: #99ff99;
padding-left: 0.5cm;
padding-top: 5px;
padding-bottom: 5px;
}
</style><title>52. Security considerations</title><meta name="generator" content="DocBook XSL Stylesheets V1.72.0" /><link rel="start" href="index.html" title="Specification of the Exim Mail Transfer Agent" /><link rel="up" href="index.html" title="Specification of the Exim Mail Transfer Agent" /><link rel="prev" href="ch51.html" title="51. The Exim monitor" /><link rel="next" href="ch53.html" title="53. Format of spool files" /></head><body><div class="navheader">
<table width="100%" summary="Navigation header"><tr><td width="20%" align="left"><a accesskey="p" href="ch51.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ch53.html">Next</a></td></tr></table></div>
<div class="chapter" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h2 class="title"><a href="index.html#toc0475" id="CHAPsecurity">52. Security considerations</a></h2></div>
</div>
</div>
<p>
<a id="IIDsecurcon" class="indexterm"></a>
This chapter discusses a number of issues concerned with security, some of
which are also covered in other parts of this manual.
</p>
<p>
For reasons that this author does not understand, some people have promoted
Exim as a “<span class="quote">particularly secure</span>” mailer. Perhaps it is because of the
existence of this chapter in the documentation. However, the intent of the
chapter is simply to describe the way Exim works in relation to certain
security concerns, not to make any specific claims about the effectiveness of
its security as compared with other MTAs.
</p>
<p>
What follows is a description of the way Exim is supposed to be. Best efforts
have been made to try to ensure that the code agrees with the theory, but an
absence of bugs can never be guaranteed. Any that are reported will get fixed
as soon as possible.
</p>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0476" id="SECID286">52.1 Building a more “<span xmlns="http://www.w3.org/1999/xhtml" class="quote">hardened</span>” Exim</a></h3></div>
</div>
</div>
<p>
<a id="id657541" class="indexterm"></a>
There are a number of build-time options that can be set in <em class="filename">Local/Makefile</em>
to create Exim binaries that are “<span class="quote">harder</span>” to attack, in particular by a rogue
Exim administrator who does not have the root password, or by someone who has
penetrated the Exim (but not the root) account. These options are as follows:
</p>
<div class="itemizedlist">
<ul type="disc"><li><p>
ALT_CONFIG_PREFIX can be set to a string that is required to match the
start of any file names used with the <span><strong class="option">-C</strong></span> option. When it is set, these file
names are also not allowed to contain the sequence “<span class="quote">/../</span>”. (However, if the
value of the <span><strong class="option">-C</strong></span> option is identical to the value of CONFIGURE_FILE in
<em class="filename">Local/Makefile</em>, Exim ignores <span><strong class="option">-C</strong></span> and proceeds as usual.) There is no
default setting for <span><strong class="option">ALT_CONFIG_PREFIX</strong></span>.
</p>
<p>
If the permitted configuration files are confined to a directory to
which only root has access, this guards against someone who has broken
into the Exim account from running a privileged Exim with an arbitrary
configuration file, and using it to break into other accounts.
</p>
</li><li><p>
If ALT_CONFIG_ROOT_ONLY is defined, root privilege is retained for <span><strong class="option">-C</strong></span>
and <span><strong class="option">-D</strong></span> only if the caller of Exim is root. Without it, the Exim user may
also use <span><strong class="option">-C</strong></span> and <span><strong class="option">-D</strong></span> and retain privilege. Setting this option locks out
the possibility of testing a configuration using <span><strong class="option">-C</strong></span> right through message
reception and delivery, even if the caller is root. The reception works, but by
that time, Exim is running as the Exim user, so when it re-execs to regain
privilege for the delivery, the use of <span><strong class="option">-C</strong></span> causes privilege to be lost.
However, root can test reception and delivery using two separate commands.
ALT_CONFIG_ROOT_ONLY is not set by default.
</p>
</li><li><p>
If DISABLE_D_OPTION is defined, the use of the <span><strong class="option">-D</strong></span> command line option
is disabled.
</p>
</li><li><p>
FIXED_NEVER_USERS can be set to a colon-separated list of users that are
never to be used for any deliveries. This is like the <span><strong class="option">never_users</strong></span> runtime
option, but it cannot be overridden; the runtime option adds additional users
to the list. The default setting is “<span class="quote">root</span>”; this prevents a non-root user who
is permitted to modify the runtime file from using Exim as a way to get root.
</p>
</li></ul></div>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0477" id="SECID270">52.2 Root privilege</a></h3></div>
</div>
</div>
<p>
<a id="id657699" class="indexterm"></a>
<a id="id657710" class="indexterm"></a>
The Exim binary is normally setuid to root, which means that it gains root
privilege (runs as root) when it starts execution. In some special cases (for
example, when the daemon is not in use and there are no local deliveries), it
may be possible to run Exim setuid to some user other than root. This is
discussed in the next section. However, in most installations, root privilege
is required for two things:
</p>
<div class="itemizedlist">
<ul type="disc"><li><p>
To set up a socket connected to the standard SMTP port (25) when initialising
the listening daemon. If Exim is run from <span class="emphasis"><em>inetd</em></span>, this privileged action is
not required.
</p>
</li><li><p>
To be able to change uid and gid in order to read users’ <em class="filename">.forward</em> files and
perform local deliveries as the receiving user or as specified in the
configuration.
</p>
</li></ul></div>
<p>
It is not necessary to be root to do any of the other things Exim does, such as
receiving messages and delivering them externally over SMTP, and it is
obviously more secure if Exim does not run as root except when necessary.
For this reason, a user and group for Exim to use must be defined in
<em class="filename">Local/Makefile</em>. These are known as “<span class="quote">the Exim user</span>” and “<span class="quote">the Exim
group</span>”. Their values can be changed by the run time configuration, though this
is not recommended. Often a user called <span class="emphasis"><em>exim</em></span> is used, but some sites use
<span class="emphasis"><em>mail</em></span> or another user name altogether.
</p>
<p>
Exim uses <em class="function">setuid()</em> whenever it gives up root privilege. This is a permanent
abdication; the process cannot regain root afterwards. Prior to release 4.00,
<em class="function">seteuid()</em> was used in some circumstances, but this is no longer the case.
</p>
<p>
After a new Exim process has interpreted its command line options, it changes
uid and gid in the following cases:
</p>
<div class="itemizedlist">
<ul type="disc"><li><p>
<a id="id657823" class="indexterm"></a>
<a id="id657834" class="indexterm"></a>
If the <span><strong class="option">-C</strong></span> option is used to specify an alternate configuration file, or if
the <span><strong class="option">-D</strong></span> option is used to define macro values for the configuration, and the
calling process is not running as root or the Exim user, the uid and gid are
changed to those of the calling process.
However, if ALT_CONFIG_ROOT_ONLY is defined in <em class="filename">Local/Makefile</em>, only
root callers may use <span><strong class="option">-C</strong></span> and <span><strong class="option">-D</strong></span> without losing privilege, and if
DISABLE_D_OPTION is set, the <span><strong class="option">-D</strong></span> option may not be used at all.
</p>
</li><li><p>
<a id="id657882" class="indexterm"></a>
<a id="id657894" class="indexterm"></a>
<a id="id657906" class="indexterm"></a>
If the expansion test option (<span><strong class="option">-be</strong></span>) or one of the filter testing options
(<span><strong class="option">-bf</strong></span> or <span><strong class="option">-bF</strong></span>) are used, the uid and gid are changed to those of the
calling process.
</p>
</li><li><p>
If the process is not a daemon process or a queue runner process or a delivery
process or a process for testing address routing (started with <span><strong class="option">-bt</strong></span>), the
uid and gid are changed to the Exim user and group. This means that Exim always
runs under its own uid and gid when receiving messages. This also applies when
testing address verification
<a id="id657946" class="indexterm"></a>
<a id="id657957" class="indexterm"></a>
(the <span><strong class="option">-bv</strong></span> option) and testing incoming message policy controls (the <span><strong class="option">-bh</strong></span>
option).
</p>
</li><li><p>
For a daemon, queue runner, delivery, or address testing process, the uid
remains as root at this stage, but the gid is changed to the Exim group.
</p>
</li></ul></div>
<p>
The processes that initially retain root privilege behave as follows:
</p>
<div class="itemizedlist">
<ul type="disc"><li><p>
A daemon process changes the gid to the Exim group and the uid to the Exim
user after setting up one or more listening sockets. The <em class="function">initgroups()</em>
function is called, so that if the Exim user is in any additional groups, they
will be used during message reception.
</p>
</li><li><p>
A queue runner process retains root privilege throughout its execution. Its
job is to fork a controlled sequence of delivery processes.
</p>
</li><li><p>
A delivery process retains root privilege throughout most of its execution,
but any actual deliveries (that is, the transports themselves) are run in
subprocesses which always change to a non-root uid and gid. For local
deliveries this is typically the uid and gid of the owner of the mailbox; for
remote deliveries, the Exim uid and gid are used. Once all the delivery
subprocesses have been run, a delivery process changes to the Exim uid and gid
while doing post-delivery tidying up such as updating the retry database and
generating bounce and warning messages.
</p>
<p>
While the recipient addresses in a message are being routed, the delivery
process runs as root. However, if a user’s filter file has to be processed,
this is done in a subprocess that runs under the individual user’s uid and
gid. A system filter is run as root unless <span><strong class="option">system_filter_user</strong></span> is set.
</p>
</li><li><p>
A process that is testing addresses (the <span><strong class="option">-bt</strong></span> option) runs as root so that
the routing is done in the same environment as a message delivery.
</p>
</li></ul></div>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0478" id="SECTrunexiwitpri">52.3 Running Exim without privilege</a></h3></div>
</div>
</div>
<p>
<a id="id658062" class="indexterm"></a>
<a id="id658073" class="indexterm"></a>
<a id="id658084" class="indexterm"></a>
Some installations like to run Exim in an unprivileged state for more of its
operation, for added security. Support for this mode of operation is provided
by the global option <span><strong class="option">deliver_drop_privilege</strong></span>. When this is set, the uid and
gid are changed to the Exim user and group at the start of a delivery process
(and also queue runner and address testing processes). This means that address
routing is no longer run as root, and the deliveries themselves cannot change
to any other uid.
</p>
<p>
<a id="id658113" class="indexterm"></a>
<a id="id658124" class="indexterm"></a>
Leaving the binary setuid to root, but setting <span><strong class="option">deliver_drop_privilege</strong></span> means
that the daemon can still be started in the usual way, and it can respond
correctly to SIGHUP because the re-invocation regains root privilege.
</p>
<p>
An alternative approach is to make Exim setuid to the Exim user and also setgid
to the Exim group. If you do this, the daemon must be started from a root
process. (Calling Exim from a root process makes it behave in the way it does
when it is setuid root.) However, the daemon cannot restart itself after a
SIGHUP signal because it cannot regain privilege.
</p>
<p>
It is still useful to set <span><strong class="option">deliver_drop_privilege</strong></span> in this case, because it
stops Exim from trying to re-invoke itself to do a delivery after a message has
been received. Such a re-invocation is a waste of resources because it has no
effect.
</p>
<p>
If restarting the daemon is not an issue (for example, if <span><strong class="option">mua_wrapper</strong></span> is
set, or <span class="emphasis"><em>inetd</em></span> is being used instead of a daemon), having the binary setuid
to the Exim user seems a clean approach, but there is one complication:
</p>
<p>
In this style of operation, Exim is running with the real uid and gid set to
those of the calling process, and the effective uid/gid set to Exim’s values.
Ideally, any association with the calling process’ uid/gid should be dropped,
that is, the real uid/gid should be reset to the effective values so as to
discard any privileges that the caller may have. While some operating systems
have a function that permits this action for a non-root effective uid, quite a
number of them do not. Because of this lack of standardization, Exim does not
address this problem at this time.
</p>
<p>
For this reason, the recommended approach for “<span class="quote">mostly unprivileged</span>” running
is to keep the Exim binary setuid to root, and to set
<span><strong class="option">deliver_drop_privilege</strong></span>. This also has the advantage of allowing a daemon to
be used in the most straightforward way.
</p>
<p>
If you configure Exim not to run delivery processes as root, there are a
number of restrictions on what you can do:
</p>
<div class="itemizedlist">
<ul type="disc"><li><p>
You can deliver only as the Exim user/group. You should explicitly use the
<span><strong class="option">user</strong></span> and <span><strong class="option">group</strong></span> options to override routers or local transports that
normally deliver as the recipient. This makes sure that configurations that
work in this mode function the same way in normal mode. Any implicit or
explicit specification of another user causes an error.
</p>
</li><li><p>
Use of <em class="filename">.forward</em> files is severely restricted, such that it is usually
not worthwhile to include them in the configuration.
</p>
</li><li><p>
Users who wish to use <em class="filename">.forward</em> would have to make their home directory and
the file itself accessible to the Exim user. Pipe and append-to-file entries,
and their equivalents in Exim filters, cannot be used. While they could be
enabled in the Exim user’s name, that would be insecure and not very useful.
</p>
</li><li><p>
Unless the local user mailboxes are all owned by the Exim user (possible in
some POP3 or IMAP-only environments):
</p>
<div class="orderedlist">
<ol type="1"><li><p>
They must be owned by the Exim group and be writeable by that group. This
implies you must set <span><strong class="option">mode</strong></span> in the appendfile configuration, as well as the
mode of the mailbox files themselves.
</p>
</li><li><p>
You must set <span><strong class="option">no_check_owner</strong></span>, since most or all of the files will not be
owned by the Exim user.
</p>
</li><li><p>
You must set <span><strong class="option">file_must_exist</strong></span>, because Exim cannot set the owner correctly
on a newly created mailbox when unprivileged. This also implies that new
mailboxes need to be created manually.
</p>
</li></ol></div>
</li></ul></div>
<p>
These restrictions severely restrict what can be done in local deliveries.
However, there are no restrictions on remote deliveries. If you are running a
gateway host that does no local deliveries, setting <span><strong class="option">deliver_drop_privilege</strong></span>
gives more security at essentially no cost.
</p>
<p>
If you are using the <span><strong class="option">mua_wrapper</strong></span> facility (see chapter
<a href="ch48.html" title="48. Using Exim as a non-queueing client">48</a>), <span><strong class="option">deliver_drop_privilege</strong></span> is forced to be true.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0479" id="SECID271">52.4 Delivering to local files</a></h3></div>
</div>
</div>
<p>
Full details of the checks applied by <span><strong class="command">appendfile</strong></span> before it writes to a file
are given in chapter <a href="ch26.html" title="26. The appendfile transport">26</a>.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0480" id="SECID272">52.5 IPv4 source routing</a></h3></div>
</div>
</div>
<p>
<a id="id658384" class="indexterm"></a>
<a id="id658398" class="indexterm"></a>
Many operating systems suppress IP source-routed packets in the kernel, but
some cannot be made to do this, so Exim does its own check. It logs incoming
IPv4 source-routed TCP calls, and then drops them. Things are all different in
IPv6. No special checking is currently done.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0481" id="SECID273">52.6 The VRFY, EXPN, and ETRN commands in SMTP</a></h3></div>
</div>
</div>
<p>
Support for these SMTP commands is disabled by default. If required, they can
be enabled by defining suitable ACLs.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0482" id="SECID274">52.7 Privileged users</a></h3></div>
</div>
</div>
<p>
<a id="id658445" class="indexterm"></a>
<a id="id658456" class="indexterm"></a>
<a id="id658466" class="indexterm"></a>
<a id="id658477" class="indexterm"></a>
<a id="id658492" class="indexterm"></a>
Exim recognizes two sets of users with special privileges. Trusted users are
able to submit new messages to Exim locally, but supply their own sender
addresses and information about a sending host. For other users submitting
local messages, Exim sets up the sender address from the uid, and doesn’t
permit a remote host to be specified.
</p>
<p>
<a id="id658509" class="indexterm"></a>
However, an untrusted user is permitted to use the <span><strong class="option">-f</strong></span> command line option
in the special form <span><strong class="option">-f <></strong></span> to indicate that a delivery failure for the
message should not cause an error report. This affects the message’s envelope,
but it does not affect the <span class="emphasis"><em>Sender:</em></span> header. Untrusted users may also be
permitted to use specific forms of address with the <span><strong class="option">-f</strong></span> option by setting
the <span><strong class="option">untrusted_set_sender</strong></span> option.
</p>
<p>
Trusted users are used to run processes that receive mail messages from some
other mail domain and pass them on to Exim for delivery either locally, or over
the Internet. Exim trusts a caller that is running as root, as the Exim user,
as any user listed in the <span><strong class="option">trusted_users</strong></span> configuration option, or under any
group listed in the <span><strong class="option">trusted_groups</strong></span> option.
</p>
<p>
Admin users are permitted to do things to the messages on Exim’s queue. They
can freeze or thaw messages, cause them to be returned to their senders, remove
them entirely, or modify them in various ways. In addition, admin users can run
the Exim monitor and see all the information it is capable of providing, which
includes the contents of files on the spool.
</p>
<p>
<a id="id658572" class="indexterm"></a>
<a id="id658583" class="indexterm"></a>
By default, the use of the <span><strong class="option">-M</strong></span> and <span><strong class="option">-q</strong></span> options to cause Exim to attempt
delivery of messages on its queue is restricted to admin users. This
restriction can be relaxed by setting the <span><strong class="option">no_prod_requires_admin</strong></span> option.
Similarly, the use of <span><strong class="option">-bp</strong></span> (and its variants) to list the contents of the
queue is also restricted to admin users. This restriction can be relaxed by
setting <span><strong class="option">no_queue_list_requires_admin</strong></span>.
</p>
<p>
Exim recognizes an admin user if the calling process is running as root or as
the Exim user or if any of the groups associated with the calling process is
the Exim group. It is not necessary actually to be running under the Exim
group. However, if admin users who are not root or the Exim user are to access
the contents of files on the spool via the Exim monitor (which runs
unprivileged), Exim must be built to allow group read access to its spool
files.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0483" id="SECID275">52.8 Spool files</a></h3></div>
</div>
</div>
<p>
<a id="id658640" class="indexterm"></a>
Exim’s spool directory and everything it contains is owned by the Exim user and
set to the Exim group. The mode for spool files is defined in the
<em class="filename">Local/Makefile</em> configuration file, and defaults to 0640. This means that
any user who is a member of the Exim group can access these files.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0484" id="SECID276">52.9 Use of argv[0]</a></h3></div>
</div>
</div>
<p>
Exim examines the last component of <span><strong class="option">argv[0]</strong></span>, and if it matches one of a set
of specific strings, Exim assumes certain options. For example, calling Exim
with the last component of <span><strong class="option">argv[0]</strong></span> set to “<span class="quote">rsmtp</span>” is exactly equivalent
to calling it with the option <span><strong class="option">-bS</strong></span>. There are no security implications in
this.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0485" id="SECID277">52.10 Use of %f formatting</a></h3></div>
</div>
</div>
<p>
The only use made of “<span class="quote">%f</span>” by Exim is in formatting load average values. These
are actually stored in integer variables as 1000 times the load average.
Consequently, their range is limited and so therefore is the length of the
converted output.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0486" id="SECID278">52.11 Embedded Exim path</a></h3></div>
</div>
</div>
<p>
Exim uses its own path name, which is embedded in the code, only when it needs
to re-exec in order to regain root privilege. Therefore, it is not root when it
does so. If some bug allowed the path to get overwritten, it would lead to an
arbitrary program’s being run as exim, not as root.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0487" id="SECID279">52.12 Use of sprintf()</a></h3></div>
</div>
</div>
<p>
<a id="id658748" class="indexterm"></a>
A large number of occurrences of “<span class="quote">sprintf</span>” in the code are actually calls to
<span class="emphasis"><em>string_sprintf()</em></span>, a function that returns the result in malloc’d store.
The intermediate formatting is done into a large fixed buffer by a function
that runs through the format string itself, and checks the length of each
conversion before performing it, thus preventing buffer overruns.
</p>
<p>
The remaining uses of <em class="function">sprintf()</em> happen in controlled circumstances where
the output buffer is known to be sufficiently long to contain the converted
string.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0488" id="SECID280">52.13 Use of debug_printf() and log_write()</a></h3></div>
</div>
</div>
<p>
Arbitrary strings are passed to both these functions, but they do their
formatting by calling the function <span class="emphasis"><em>string_vformat()</em></span>, which runs through
the format string itself, and checks the length of each conversion.
</p>
</div>
<div class="section" lang="en" xml:lang="en">
<div class="titlepage">
<div>
<div>
<h3 xmlns="" class="title"><a xmlns="http://www.w3.org/1999/xhtml" href="index.html#toc0489" id="SECID281">52.14 Use of strcat() and strcpy()</a></h3></div>
</div>
</div>
<p>
These are used only in cases where the output buffer is known to be large
enough to hold the result.
<a id="id658820" class="indexterm"></a>
</p>
</div>
</div>
<div class="navfooter">
<table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ch51.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ch53.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div>
</body></html>
