Re: [exim-dev] potential exploitation vector

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Yuri Arabadji
CC: exim-dev
Subject: Re: [exim-dev] potential exploitation vector
On 2010-11-03 at 10:42 +0200, Yuri Arabadji wrote:
> How is it possible that exim invokes something with superuser privileges and
> that something is fed with user data?


It means you've built Exim with EXIM_USER=0, something which is strongly
discouraged in the documentation of past releases and which will not be
permitted in the next release -- the build tools and a run-time check
will abort if EXIM_USER is root.

> I'm talking about things like encoding translations that happen when accessing
> variables in system filter - iconv family of functions, for example. And hey,
> why are we invoking system filter with euid 0 at all?! Is there any strong
> reason of doing that or am I getting the code incorrectly?


System filter should be being accessed as the exim user. This is either
a hard-coded uid specified by name or number, or a hard-coded usercode,
looked up at run-time. The value coded in was specified in
Local/Makefile when Exim was built and you can use:
exim -bP exim_user
to find out the value.