[ On Saturday, September 11, 2004 at 09:17:53 (+0100), Philip Hazel wrote: ]
> Subject: Re: [exim] Exim overparanoid about non-root users.
>
> On Fri, 10 Sep 2004, Greg A. Woods wrote:
>
> > If Exim allows admin-group users to specifiy an arbitrary configuration
> > file on the command line then there should be a big warning that doing
> > this is probably equivalent to giving those users the root password
> > should they choose to try to use this technique to gain increased
> > privileges, regardless of how bug free and carefully coded Exim actually
> > is.
>
> Why not take a peek at the spec?
Sorry, I should have been more explicit, but my post was kind of
intended to be a leading question.....
OK, so which is it? Does Exim allow admin-group uders to specify
arbitrary configuration files on the command-line, or not?
Other answers in this thread seemed to suggest this would be possible.
The manual page you quote from suggests not, however see below ....
> Extract 1:
>
> -C <filelist>
> This option causes Exim to find the run time configuration file from
> the given list instead of from the list specified by the CONFIGURE_FILE
> compile-time setting. Usually, the list will consist of just a single
> file name, but it can be a colon-separated list of names. In this case,
> the first file that exists is used. Failure to open an existing file
> stops Exim from proceeding any further along the list, and an error is
> generated.
>
> When this option is used by a caller other than root or the Exim user,
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> and the list is different from the compiled-in list, Exim gives up its
> root privilege immediately, and runs with the real and effective uid
You left out the (confusing) part about ALT_CONFIG_ROOT_ONLY, which
IMVNSHO should be the only way a privileged program such as Exim should
ever work. The current default mode of operation where
ALT_CONFIG_ROOT_ONLY is not defined makes the "exim" user effectively as
privileged as "root" and that way gives all sorts of new avenues for
exploits.
> Extract 2:
>
> Warning: In a conventional configuration, where the Exim binary is setuid to
> root, anybody who is able to edit the run time configuration file has an easy
> way to run commands as root. If you make your mail administrators members of
> the Exim group, but do not trust them with root, make sure that the run time
> configuration is not group writeable.
I'm going to propose that it's quite likely that anyone with "exim"
group membership will be able to attain the full privileges of the
"exim" user without too much difficulty and thus (by default, as per
above) they'll be able to specify a config file that they can write to
and thus they'll be able to run abitrary commands as root too.
Which begs the question: What would be the point of ever making anyone
a member of the "exim" group when they're not trusted with root privs?
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@???>
Planix, Inc. <woods@???> Secrets of the Weird <woods@???>
