Re: [exim] Exim overparanoid about non-root users.

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Exim User's Mailing List
Subject: Re: [exim] Exim overparanoid about non-root users.
On Mon, 13 Sep 2004, Greg A. Woods wrote:

> OK, so which is it? Does Exim allow admin-group uders to specify
> arbitrary configuration files on the command-line, or not?


No. It allows only root or the exim user, as TFM says:

> >        When this option is used by a caller other than root or the Exim user,
> >                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >        and the list is different from the compiled-in list, Exim gives up its
> >        root privilege immediately, and runs with the real and effective uid


> You left out the (confusing) part about ALT_CONFIG_ROOT_ONLY,


Sorry, forgot about that.

> which IMVNSHO should be the only way a privileged program such as Exim
> should ever work.


> The current default mode of operation where ALT_CONFIG_ROOT_ONLY is
> not defined makes the "exim" user effectively as privileged as "root"
> and that way gives all sorts of new avenues for exploits.


It is true that if somebody breaks into the exim account they can
probably from there break into the root account, but this is not
necessarily dependent on ALT_CONFIG_ROOT_ONLY being unset. It is also
something that applies to other "privileged" accounts, I suspect.

> I'm going to propose that it's quite likely that anyone with "exim"
> group membership will be able to attain the full privileges of the
> "exim" user without too much difficulty and thus (by default, as per
> above) they'll be able to specify a config file that they can write to
> and thus they'll be able to run abitrary commands as root too.


I do not know how difficult this would be. I am not a security expert.

> Which begs the question: What would be the point of ever making anyone
> a member of the "exim" group when they're not trusted with root privs?


This is to some extent a social question, not a technical one. You might
not want to give your operators root privilege, but you might trust them
not to abuse their exim group privilege. For instance. Possibly even for
legal reasons (minimizing private information they can see).

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book