On Tue, 17 Nov 1998, Lars Kellogg-Stedman wrote:
> However, when using the EXPN command, the filter is run with the uid/gid
> of exim (well, of exim_user and exim_group). The logfile/logwrite options
> can be used to create and write files with these credentials. On my
> system, this would allow one (for instance) to write to the exim config
> file from a filter.
Thank you for pointing this out. I always knew that VRFY and EXPN were
not sensible things to have in a protocol for exchanging mail. Early
versions of Exim did not support them, but I had to implement them
because some people pleaded so hard...
Luckily, the default configuration is safe, because by default EXPN is
locked out.
Also, the default configuration has no_verify set on the forwardfile
director, so (unless there is a problem), running EXPN to verify a
user's address should not run the filter file. It is my belief that
most sites just want verifying to check the local user, not what that
user might have forwarded to.
However, it should, of course, behave safely whatever configuration you
use. The problem is that, when Exim runs as a daemon, it runs as "exim"
for security. Consequently, if it is to run a filter file, it has to do
it as "exim". Clearly, the logwrite command should be locked out under
these circumstances. I will look at the code tomorrow, when I have
worked through the enormous pile of email that awaits me - our systems
have been off the air for 3 days as the result of (electronic) intruders
so I've a lot to catch up on.
Philip
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
--
*** Exim information can be found at
http://www.exim.org/ ***
