Earlier this week I had a discussion with Ian Jackson and Jon Amery about
support for chiark's Exim configuration in Exim 4. They want to be able to
run users' .forward files at verification time, in order to be able to
reject local parts with affixes that the user has not defined. This works
easily in Exim 3 because it is able to switch to any user's privilege
context at verification time, so it can run the .forward file with the
same privileges as the person who created the file. Exim 4 cannot do this.
What we want to be able to do is safely run a .forward file at
verification time, with all the dangerous features turned off;
then re-run it at delivery time with all the funky stuff available.
I suggest the following changes to Exim to make this easier.
(1) The set of forbid_filter_* options increases over time, and omitting
one of them in this verification router opens a security hole. So I
suggest a forbid_filter_all option which encompases all of them and will
not become insecure in the future.
Hmm. I have an uncommitted forbid_all option which was designed to make
the redirect routers on ppswitch shorter, but it is too strict for the
chiark configuration. See below for the draft patch.
(2) As a counterpart to the forbid_filter_all option, we need an
ignore_forbidden_expansions option, which means that forbidden expansions
do not cause an error at verification time; instead Exim should just give
the .forward file the benefit of the doubt. Would it be sufficient to just
make them expand to the empty string?
(3) A redirect router which has verify_only and check_local_user is a
configuration error at the moment - it cannot work, because Exim cannot
switch to the local user at verification time to run the router. I suggest
that in this situation, Exim should omit the switch-to-user effects of
check_local_user, and probably also automatically turn on
forbid_filter_all and ignore_forbidden_expansions.
Any comments on these suggestions? Philip, do you have time to do the
coding? :-)
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
--- routers/redirect.c 7 Feb 2006 11:19:02 -0000 1.15
+++ routers/redirect.c 12 Apr 2006 13:40:57 -0000
@@ -39,6 +39,8 @@
(void *)offsetof(redirect_router_options_block, file) },
{ "file_transport", opt_stringptr,
(void *)offsetof(redirect_router_options_block, file_transport_name) },
+ { "forbid_all", opt_bool,
+ (void *)offsetof(redirect_router_options_block, forbid_all) },
{ "forbid_blackhole", opt_bit | (RDON_BLACKHOLE << 16),
(void *)offsetof(redirect_router_options_block, bit_options) },
{ "forbid_exim_filter", opt_bit | (RDON_EXIM_FILTER << 16),
@@ -209,6 +211,23 @@
if (rblock->unseen || rblock->expand_unseen != NULL)
log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n "
"\"unseen\" may not be used with \"one_time\"", rblock->name);
+ }
+
+/* Handle the forbid_all option, which sets a load of other options. It must
+also check that none of the allow_ settings have been enabled, because that
+would be inconsistent. */
+
+if (ob->forbid_all)
+ {
+ if ((ob->bit_options & (RDO_DEFER | RDO_FAIL | RDO_FILTER | RDO_FREEZE))
+ != 0)
+ log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n "
+ "\"forbid_all\" may not be used with an \"allow_\" option",
+ rblock->name);
+ ob->forbid_pipe = ob->forbid_file = ob->forbid_filter_reply = TRUE;
+ ob->bit_options |= RDO_BLACKHOLE | RDO_EXIM_FILTER | RDO_DLFUNC |
+ RDO_EXISTS | RDO_LOG | RDO_LOOKUP | RDO_PERL | RDO_READFILE |
+ RDO_READSOCK | RDO_RUN | RDO_INCLUDE | RDO_SIEVE_FILTER;
}
/* The defaults for check_owner and check_group depend on other settings. The
--- routers/redirect.h 7 Feb 2006 11:19:02 -0000 1.7
+++ routers/redirect.h 12 Apr 2006 13:40:57 -0000
@@ -48,6 +48,7 @@
BOOL check_ancestor;
BOOL check_group;
BOOL check_owner;
+ BOOL forbid_all;
BOOL forbid_file;
BOOL forbid_filter_reply;
BOOL forbid_pipe;
