Re: [exim-dev] potential exploitation vector

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MYuri Arabadji at <-
MYuri Arabadji at ->
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Yuri Arabadji
CC: exim-dev
Subject: Re: [exim-dev] potential exploitation vector
On 2010-11-03 at 10:42 +0200, Yuri Arabadji wrote:
> How is it possible that exim invokes something with superuser privileges and
> that something is fed with user data?

It means you've built Exim with EXIM_USER=0, something which is strongly
discouraged in the documentation of past releases and which will not be
permitted in the next release -- the build tools and a run-time check
will abort if EXIM_USER is root.

> I'm talking about things like encoding translations that happen when accessing
> variables in system filter - iconv family of functions, for example. And hey,
> why are we invoking system filter with euid 0 at all?! Is there any strong
> reason of doing that or am I getting the code incorrectly?

System filter should be being accessed as the exim user. This is either
a hard-coded uid specified by name or number, or a hard-coded usercode,
looked up at run-time. The value coded in was specified in
Local/Makefile when Exim was built and you can use:
exim -bP exim_user
to find out the value.

This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] potential exploitation vector[exim-dev] [Bug 191] Option to use another address in callout MAIL FROM->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)