Re: [exim] 551 User not local; please try <forward-path>

Pàgina inicial
Delete this message
Reply to this message
Autor: Robert Millan
Data:  
A: exim-users
Assumpte: Re: [exim] 551 User not local; please try <forward-path>
On Sat, Jun 17, 2006 at 11:39:29PM +0200, Magnus Holmgren wrote:
> On Saturday 17 June 2006 22:22, Robert Millan took the opportunity to write:
> > On Sat, Jun 17, 2006 at 09:59:32PM +0200, Magnus Holmgren wrote:
> > > > It seems it needs a bit more than access to the files:
> > > >
> > > > 2006-06-17 21:33:04 unable to set gid=1001 or uid=1001 (euid=102):
> > > > userforward router (recipient is xxx@yyy)
> > > >
> > > > The ~/.forward files are world-readable, so why does it attempt
> > > > setgid/setuid? Can we still avoid running exim as root?
> > >
> > > Yeees, I forgot that. Exim always tries to setuid/setgid to the user and
> > > group given by those options or check_local_user, for security reasons I
> > > think. You could add a verify_only router, but then you can't use $home.
> >
> > I don't understand. How can failure to drop privileges be a critical
> > error? When it runs as root, this never happens. When it runs as user, it
> > isn't necessary (although access could be denied if user is not the same).
>
> Because if you allow user-supplied filter files to be run as the exim user,
> the users can (by default) do anything they want as that user. It's not root,
> but it still has privileges users aren't supposed to have.


Oh, right. I forgot that's as easy as "|/tmp/evil-script".

Perhaps we could define a separate interface for filters that happen before
accepting mail? For example, ~/.preforward, and have things like:

# Returns "251 User not local; will forward to <foo@???>".
# Actual forwarding is determined by ~/.forward. This leaves us with room
# to do other tricky things like procmail, bayesian filtering, etc.
forward foo@???
finish

and:

# Returns "551 User not local; please try <foo@???>"
# No delivering happens on our part (mail is rejected).
forward foo@???
fail

Just two commands are enough to determine 251/551 actions, without compromising
security. I think this would be feasible as long as exim user has read
permission to ~user/.preforward.

What do you think?

Btw, should we move this to the developer list?

--
Robert Millan