[exim] Exim filters in virtual hosting environments

Inizio della pagina
Delete this message
Reply to this message
Autore: Brian Candler
Data:  
To: exim-users
Oggetto: [exim] Exim filters in virtual hosting environments
Hello,

I wondered if anyone has any thoughts about the safety, or otherwise, of
allowing Exim filters in a virtual hosting environment (that is, where all
the mailboxes are owned by the same uid).

The options I'm considering are:

1. Allow people to upload their own filter scripts, and turn on
forbid_pipe/file/include and all forbid_filter_* options.

I'm uncomfortable with that, as there may be unforeseen security holes.
Currently there's no way to block out ${stat}, for example. Also, the
functionality available is limited: you can only accept, drop or forward a
message.

[Aside: perhaps forbid_filter_existstest ought to block out ${stat} too? ]

2. Write a web interface which lets people add rules of a predetermined
format using preset conditions only. Probably secure but not very flexible,
and parsing back the existing filter set could be awkward.

However it would allow me to use the 'logwrite' and 'save' options (since
I'd have a hardcoded 'logfile' and could restrict the 'save' destination
appropriately)

3. Write a parser for the Exim filter language and use it to validate
uploaded filters to 'safe' configurations only (e.g. 'save' lines would have
a destination with no string expansions and no absolute paths or /../). This
would have the additional advantage of preventing users installing invalid
filter files. However I don't really fancy writing a parser for this from
scratch, especially in the absence of a formal grammar.

4. Set up my filter router with directory_transport pointing to a dedicated
router, which refuses to deliver if the directory contains .. or is not
underneath $home. That would allow me to remove forbid_file and enable the
'save' operation, but still has the problem of unforeseen holes as in (1)

5. Modify Exim's filter processing in various ways: e.g. force 'logfile' to
a particular value so that 'logwrite' can be enabled; or modify all file
accesses so that they check they only take place underneath $home. This gets
into the realm of Exim patching and still may be subject to unforeseen
holes.

Anybody have any experience in this area that they'd care to share?

Thanks,

Brian Candler.