Re: [Exim] Security

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Marilyn Davis
CC: exim-users
Subject: Re: [Exim] Security
On Mon, 30 Oct 2000, Marilyn Davis wrote:

> My first task is to write a little paper proposing election software
> based on free software. In the paper I want to say that there has
> been no security bugs logged against exim in ..... length of time.
> Can anyone tell me that? Or tell me what I can say truthfully about
> the security of exim?


AFAIK, there has never been a security bug for an exposure to an
external user. There have been some for exposures to internal users,
that is, users logged in to the host which is running Exim. That does
not, of course, mean that there are no lurking bugs!

1. Back in 1.62 there was a potential buffer overrun in the code for
:include: files. This was fixed in 1.70 (released August, 1997).

2. More recently, it has been pointed out that passwords (for things
like mysql) that are specified in the configuration file are exposed to
local users via the -bP options. A means of hiding certain settings is
implemented in the testing releases and will be in the next release.

3. Also recently, it has been pointed out that the -be option can allow
unprivileged users to read files they should not be able to. This is
also fixed in the next release.

4. What have I forgotten? Anybody remember any more?

People have said several times that there should be a security audit. I
entirely agree, but if anybody has done one, they have not published the
results, to my knowledge.

I have learned a lot about these issues since I started to write Exim. I
now finally understand why seteuid() is such a bad idea, even in the
relatively "minor" way that Exim uses it. Once the next release is out
the door (by the end of the year) I am going to write a "white paper"
about future directions, and one of the things in it will be a proposal
to remove the use of seteuid() altogether (currently it is used give up
privilege temporarily (a) while directing/routing (b) while running user
filters and (c) while doing some require_files checks).

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.