Re: [EXIM] simple sendmail replacement? (fwd)

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Rudolf Kompf
CC: exim-mailing-list
Subject: Re: [EXIM] simple sendmail replacement? (fwd)
On Mon, 14 Sep 1998, Rudolf Kompf wrote:

> I found the following msg in the fwtk-users mailing-list. Any comments
> from exim-gurus?


Note the date on the message:

> | Date: 15 Apr 1997 00:11:22 GMT

                 ^^^^
                 ^^^^
                 ^^^^
This has been thrashed over several times before. There is some truth in 
it, and also there are some misconceptions. Chapter 50 of the manual 
attempts to describe the operations of Exim that are relevant to 
security. Please note in particular the second paragraph of that 
chapter, which reads:


For reasons that this author does not understand, some people have promoted
Exim as a 'particularly secure' mailer. Perhaps it is because of the existence
of this chapter in the documentation. However, the intent of the chapter is
simply to describe the way Exim works in relation to certain security
concerns, not to make any specific claims about the effectiveness of its
security as compared with other MTAs.

Here are brief comments on the message, for the record:

> | Exim is a monolithic program that performs various MTA-related tasks by
> | looking at argv[0]. It configurably runs as root, "semi-root", or
> | non-root, in the same manner as Sendmail: it loses significant
> | capabilities running with all privilege discarded, but in normal operation
> | uses seteuid() to "temporarily" discard privileges.


True, but the last clause is only partially true. For some "normal"
things Exim uses setuid() to permanently discard privileges, e.g. once
it has bound to port 25, or during a local delivery, or while sending
out SMTP.

> | (Exim relies on sprintf and vsprintf throughout the code).


Early versions of Exim were less secure in this regard. I improved the
code as a result of discussions around the time of this message, and it
now uses a private "sprintf" function which checks that it isn't
overflowing the output buffer.

> | In fact, if the authors of Exim

                          ^
                 I was flattered by this :-)          


> | (I'm particularly fond of
> | string_sprintf),


This got re-written to be more secure.

> | and, in some situations, even trusting argv[0] as passed
> | to the program to contain the path to the exim binary.


This is just totally wrong. Exim has never trusted the contents of
argv[0].

> | By way of comparison, Exim not only doesn't document
> | secure design,


The oldest version of Exim I still have (1.62) had a chapter on security
in the documentation. I think it was there from quite early days.

I'm not trying to hold up Exim as a great secure system. I have tried my
best to make it secure within the limits of the way it operates, and to
describe it as well as I can. The code is there for anyone to read. It
is up to you to decide whether to run it or not. Of course I am pleased
when people choose to run my code, but as I am not selling it, I do not
have to advertise or try to persuade anybody.

Philip

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.



--
*** Exim information can be found at http://www.exim.org/ ***