pdp 2010/06/06 03:46:13 BST
Modified files:
exim-doc/doc-txt ChangeLog NewStuff
exim-src/src EDITME buildconfig.c exim.c
Log:
No longer permit the exim user to be root. Fixes: #752
Revision Changes Path
1.626 +2 -0 exim/exim-doc/doc-txt/ChangeLog
1.172 +12 -0 exim/exim-doc/doc-txt/NewStuff
1.26 +1 -2 exim/exim-src/src/EDITME
1.16 +14 -0 exim/exim-src/src/buildconfig.c
1.69 +6 -0 exim/exim-src/src/exim.c
Index: ChangeLog
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
retrieving revision 1.625
retrieving revision 1.626
diff -u -r1.625 -r1.626
--- ChangeLog 6 Jun 2010 02:08:50 -0000 1.625
+++ ChangeLog 6 Jun 2010 02:46:13 -0000 1.626
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.625 2010/06/06 02:08:50 pdp Exp $
+$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.626 2010/06/06 02:46:13 pdp Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -40,6 +40,8 @@
PP/12 Bugzilla 973: Implement --version.
+PP/13 Bugzilla 752: Refuse to build/run if Exim user is root/0.
+
Exim version 4.72
-----------------
Index: NewStuff
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/NewStuff,v
retrieving revision 1.171
retrieving revision 1.172
diff -u -r1.171 -r1.172
--- NewStuff 6 Jun 2010 01:35:41 -0000 1.171
+++ NewStuff 6 Jun 2010 02:46:13 -0000 1.172
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.171 2010/06/06 01:35:41 pdp Exp $
+$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.172 2010/06/06 02:46:13 pdp Exp $
New Features in Exim
--------------------
@@ -63,6 +63,18 @@
control = debug/opts=+expand+acl
control = debug/tag=.$message_exim_id/opts=+expand
+ 7. It has always been implicit in the design and the documentation that
+ "the Exim user" is not root. src/EDITME said that using root was
+ "very strongly discouraged". This is not enough to keep people from
+ shooting themselves in the foot in days when many don't configure Exim
+ themselves but via package build managers. The security consequences of
+ running various bits of network code are severe if there should be bugs in
+ them. As such, the Exim user may no longer be root. If configured
+ statically, Exim will refuse to build. If configured as ref:user then Exim
+ will exit shortly after start-up. If you must shoot yourself in the foot,
+ then henceforth you will have to maintain your own local patches to strip
+ the safeties off.
+
Version 4.72
------------
Index: EDITME
===================================================================
RCS file: /home/cvs/exim/exim-src/src/EDITME,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- EDITME 5 Jun 2010 11:13:29 -0000 1.25
+++ EDITME 6 Jun 2010 02:46:13 -0000 1.26
@@ -1,4 +1,4 @@
-# $Cambridge: exim/exim-src/src/EDITME,v 1.25 2010/06/05 11:13:29 pdp Exp $
+# $Cambridge: exim/exim-src/src/EDITME,v 1.26 2010/06/06 02:46:13 pdp Exp $
##################################################
# The Exim mail transport agent #
@@ -131,8 +131,7 @@
# group that is used for Exim processes when they no longer need to be root. In
# particular, this applies when receiving messages and when doing remote
# deliveries. (Local deliveries run as various non-root users, typically as the
-# owner of a local mailbox.) Specifying these values as root is very strongly
-# discouraged.
+# owner of a local mailbox.) Specifying these values as root is not supported.
EXIM_USER=
Index: buildconfig.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/buildconfig.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- buildconfig.c 16 Nov 2009 19:50:36 -0000 1.15
+++ buildconfig.c 6 Jun 2010 02:46:13 -0000 1.16
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/buildconfig.c,v 1.15 2009/11/16 19:50:36 nm4 Exp $ */
+/* $Cambridge: exim/exim-src/src/buildconfig.c,v 1.16 2010/06/06 02:46:13 pdp Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -356,6 +356,7 @@
uid_t uid = 0;
gid_t gid = 0;
int gid_set = 0;
+ int uid_not_set = 0;
char *username = NULL;
char *groupname = NULL;
char *s;
@@ -410,6 +411,7 @@
while (isspace(*user)) user++;
username = user;
gid_set = 1;
+ uid_not_set = 1;
}
else
@@ -503,6 +505,18 @@
return 1;
}
+ /* security sanity checks
+ if ref: is being used, we can never be sure, but we can take reasonable
+ steps to filter out the most obvious ones. */
+
+ if ((!uid_not_set && uid == 0) ||
+ (strcmp(username, "root") == 0) ||
+ (strcmp(username, "toor") == 0) )
+ {
+ printf("\n*** Exim's internal user must not be root.\n\n");
+ return 1;
+ }
+
/* Output user and group names or uid/gid. When names are set, uid/gid
are set to zero but will be replaced at runtime. */
Index: exim.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/exim.c,v
retrieving revision 1.68
retrieving revision 1.69
diff -u -r1.68 -r1.69
--- exim.c 6 Jun 2010 02:08:50 -0000 1.68
+++ exim.c 6 Jun 2010 02:46:13 -0000 1.69
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/exim.c,v 1.68 2010/06/06 02:08:50 pdp Exp $ */
+/* $Cambridge: exim/exim-src/src/exim.c,v 1.69 2010/06/06 02:46:13 pdp Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -1234,6 +1234,12 @@
#ifdef EXIM_USERNAME
if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
{
+ if (exim_uid == 0)
+ {
+ fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
+ EXIM_USERNAME);
+ exit(EXIT_FAILURE);
+ }
exim_gid = pw->pw_gid;
}
else
