On Fri, 10 Sep 2004, Greg A. Woods wrote:
> If Exim allows admin-group users to specifiy an arbitrary configuration
> file on the command line then there should be a big warning that doing
> this is probably equivalent to giving those users the root password
> should they choose to try to use this technique to gain increased
> privileges, regardless of how bug free and carefully coded Exim actually
> is.
Why not take a peek at the spec?
Extract 1:
-C <filelist>
This option causes Exim to find the run time configuration file from
the given list instead of from the list specified by the CONFIGURE_FILE
compile-time setting. Usually, the list will consist of just a single
file name, but it can be a colon-separated list of names. In this case,
the first file that exists is used. Failure to open an existing file
stops Exim from proceeding any further along the list, and an error is
generated.
When this option is used by a caller other than root or the Exim user,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
and the list is different from the compiled-in list, Exim gives up its
root privilege immediately, and runs with the real and effective uid
Extract 2:
Warning: In a conventional configuration, where the Exim binary is setuid to
root, anybody who is able to edit the run time configuration file has an easy
way to run commands as root. If you make your mail administrators members of
the Exim group, but do not trust them with root, make sure that the run time
configuration is not group writeable.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book
