Re: [exim] Exim overparanoid about non-root users.

Pàgina inicial
Delete this message
Reply to this message
Autor: Philip Hazel
Data:  
A: Exim User's Mailing List
Assumpte: Re: [exim] Exim overparanoid about non-root users.
On Fri, 10 Sep 2004, Greg A. Woods wrote:

> If Exim allows admin-group users to specifiy an arbitrary configuration
> file on the command line then there should be a big warning that doing
> this is probably equivalent to giving those users the root password
> should they choose to try to use this technique to gain increased
> privileges, regardless of how bug free and carefully coded Exim actually
> is.


Why not take a peek at the spec?

Extract 1:

-C <filelist>
       This option causes Exim to find the run time configuration file from
       the given list instead of from the list specified by the CONFIGURE_FILE
       compile-time setting. Usually, the list will consist of just a single
       file name, but it can be a colon-separated list of names. In this case,
       the first file that exists is used. Failure to open an existing file
       stops Exim from proceeding any further along the list, and an error is
       generated.


       When this option is used by a caller other than root or the Exim user,
                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       and the list is different from the compiled-in list, Exim gives up its
       root privilege immediately, and runs with the real and effective uid


Extract 2:

Warning: In a conventional configuration, where the Exim binary is setuid to
root, anybody who is able to edit the run time configuration file has an easy
way to run commands as root. If you make your mail administrators members of
the Exim group, but do not trust them with root, make sure that the run time
configuration is not group writeable.


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book