On Wed, 7 May 1997, Greg A. Woods wrote:
> The daemon-like design of sendmail and those that have followed it, such
> as smail-3, and exim, is very bad since it entails running a large body
> of code for a long time in a privileged state.
Sorry for shouting, but how many times do I have to say that for Exim in
its most secure configuration, THIS IS NOT SO, before people taken note?
Chapter 44 of the manual explains all about it. From the number of
comments that have been bandied about, it seems clear that nobody reads
it. I have recently written a separate statement about Exim's security
which I will post separately.
On this particular point, let me say it yet again:
If Exim is supplied with its own uid/gid and run in one of the setuid
modes, it ALWAYS uses setuid() (NOT seteuid()) to give up root privilege
as soon as the daemon has set up its listener on port 25. Therefore, it
does not run "a large body of code for a long time in a privileged
state." [That is, if by "privileged state" you mean root. Running as
the Exim uid does carry some privilege, as it is normally possible to
read/write the spool files from that user. So perhaps I am over-reacting
here. If so, apologies.]
> Sendmail and smail-3
> have at long last been modified to fork, and in cases exec a tiny agent,
> when doing the dangerous work of opening a user's files for writing.
This is also NOT so for exim. It ALWAYS forks and uses setuid() before
writing to a user's file, whatever it's security configuration. OK, so
it doesn't fork a separate tiny agent, that's true, but it DOES fork,
and DOES setuid().
> Never the less all of these mailers are usually used in a scenario where
> they continue to run a vast majority of their code in the highly
> privileged state of the superuser.
Exim (when properly configured) runs as superuser only (a) in the
daemon until it has opened port 25 (in other words, during
initialisation) and (b) when doing deliveries while it is routing and
directing - though you can configure it to run setEuid() while doing
that if you want. It NEVER does ANY delivery (local or remote) as root.
> It should be relatively trivial to modify exim so that it can run in
> such an unprivileged state as I've described.
It does, unless you count running as the exim uid/gid as privileged.
I'll try to keep calm and not shout any more.
Philip
--
Philip Hazel University Computing Service,
ph10@??? New Museums Site, Cambridge CB2 3QG,
P.Hazel@??? England. Phone: +44 1223 334714
