[Exim] transport_filter insecure?

Top Page
Delete this message
Reply to this message
Author: Martin Buck
Date:  
To: exim-users
Subject: [Exim] transport_filter insecure?
Hi,

I just noticed that transport_filters have a (at least to me) rather
surprising feature: They are run using the environment inherited from the
exim process which in turn might be inherited from an arbitrary user. The
problem is that they might be run with the uid of another user. Depending
on what a specific filter does (e.g. whether it uses $PATH or not), this is
a security hole.

Even if this wouldn't be a security hole, it should be changed nevertheless
since I can't imagine a case where the current behaviour would be useful. I
noticed this bug originally when my transport_filter tried to run
bogofilter with HOME=/root...

BTW, I tested this with exim 3.35, but the code in 4.24 looks pretty
similar. And I guess other calls to child_open() could be affected as well.

Martin