Autor: Robert Millan Data: A: exim-users Assumpte: Re: [exim] 551 User not local; please try <forward-path>
On Sat, Jun 17, 2006 at 11:39:29PM +0200, Magnus Holmgren wrote: > On Saturday 17 June 2006 22:22, Robert Millan took the opportunity to write:
> > On Sat, Jun 17, 2006 at 09:59:32PM +0200, Magnus Holmgren wrote:
> > > > It seems it needs a bit more than access to the files:
> > > >
> > > > 2006-06-17 21:33:04 unable to set gid=1001 or uid=1001 (euid=102):
> > > > userforward router (recipient is xxx@yyy)
> > > >
> > > > The ~/.forward files are world-readable, so why does it attempt
> > > > setgid/setuid? Can we still avoid running exim as root?
> > >
> > > Yeees, I forgot that. Exim always tries to setuid/setgid to the user and
> > > group given by those options or check_local_user, for security reasons I
> > > think. You could add a verify_only router, but then you can't use $home.
> >
> > I don't understand. How can failure to drop privileges be a critical
> > error? When it runs as root, this never happens. When it runs as user, it
> > isn't necessary (although access could be denied if user is not the same).
>
> Because if you allow user-supplied filter files to be run as the exim user,
> the users can (by default) do anything they want as that user. It's not root,
> but it still has privileges users aren't supposed to have.
Oh, right. I forgot that's as easy as "|/tmp/evil-script".
Perhaps we could define a separate interface for filters that happen before
accepting mail? For example, ~/.preforward, and have things like:
# Returns "251 User not local; will forward to <foo@???>".
# Actual forwarding is determined by ~/.forward. This leaves us with room
# to do other tricky things like procmail, bayesian filtering, etc.
forward foo@???
finish
and:
# Returns "551 User not local; please try <foo@???>"
# No delivering happens on our part (mail is rejected).
forward foo@???
fail
Just two commands are enough to determine 251/551 actions, without compromising
security. I think this would be feasible as long as exim user has read
permission to ~user/.preforward.