Re: [Exim] Does Exim have security problems?

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Jeffrey Goldberg
CC: Mustapha Mahfouz, Malcolm Ray, exim-users
Subject: Re: [Exim] Does Exim have security problems?
On Tue, 29 Aug 2000, Jeffrey Goldberg wrote:

> That is not entirely true. Exim processes *permanently* discard
> privileges, if I understand correctly.


Sometimes, depending on why they are discarding it. For local
deliveries, receiving a message, and the daemon, it is permanent. For
reading a user's .forward file, it is temporary.

> For years now exim has used its own sprintf() functions. Though I am a
> bit surprised that PH made the mistake of using the standard library one
> in the very early days of exim.


I am not a security expert, but I have learned a lot since I started
writing Exim.

> > | Moreover, Exim's "security consciousness" is defined by a variable
> > living
> > | in Exim's process memory space. For that matter, so is the binary Exim
> > | executes when restarting itself (defined by a global pointer called
> > | "exim_path"). What's to prevent someone from altering either of these
> > | and subverting the program? Certainly not the code!
>
> This is interesting. Anyone who knows more about these things wish to
> elaborate? I'm not sure what the alternative is recommended.


By definition, if Exim restarts itself, it is not privileged, because if
it were privileged, it would not need to restart itself. So all you
achieve by subverting exim_path is to allow an unprivileged program to
execute an arbitrary command. If you have the ability to overwrite the
code of Exim, you could do this even it exim_path didn't exist.

> Any serious security critique should be looked at.


Of course. I did look at it. Many changes were made. If somebody makes a
new critique, I will certainly look at it.

> Philip Hazel is away for a few weeks.


Days, days! See how easy it is to start an incorrect rumour. :-)


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.