Re: [exim-dev] potential exploitation vector

Top Page

Reply to this message
Author: Phil Pennock
To: Yuri Arabadji
CC: exim-dev
Subject: Re: [exim-dev] potential exploitation vector
On 2010-11-04 at 01:07 +0200, Yuri Arabadji wrote:
> Hello, Phil.
> Thanks for your time spent on replying to my message. Let me take another
> portion of it ;)
> The specific exim's build I'm using is deployed on many hosting servers across
> the internet and it would be quite bad if this turns out to be an actual bug:
> EXIM_USER is mailnull. exim -bP exim_user outputs mailnull.
> uid=47(mailnull) gid=47(mailnull) groups=47(mailnull)
> Please see the attached traces and especially the line
> "Let's see what UIDs we've got" in exim.daemon.log.
> This is an almost unmodified CPanel exim installation. I'm attaching everything
> relevant. It would be wonderful if you could explain what's going on there and
> whether that is the expected behavior.

You're quite right, I was mis-remembering the defaults of Exim. My

We should probably look at changing the default value of


----------------------------8< cut here >8------------------------------
|system_filter_user|Use: main|Type: string|Default: unset|

If this option is not set, the system filter is run in the main Exim delivery
process, as root. When the option is set, the system filter runs in a separate
process, as the given user. Unless the string consists entirely of digits, it
is looked up in the password data. Failure to find the named user causes a
configuration error. The gid is either taken from the password data, or
specified by system_filter_group. When the uid is specified numerically,
system_filter_group is required to be set.

If the system filter generates any pipe, file, or reply deliveries, the uid
under which the filter is run is used when transporting them, unless a
transport option overrides. Normally you should set system_filter_user if your
system filter generates these kinds of delivery.
----------------------------8< cut here >8------------------------------