Re: [exim-dev] [Bug 1044] CVE-2010-4345 exim privilege escal…

Top Page

Reply to this message
Author: W B Hacker
Date:  
To: 1044
CC: exim-dev, David Woodhouse
Subject: Re: [exim-dev] [Bug 1044] CVE-2010-4345 exim privilege escalation
David Woodhouse wrote:
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug.
>
> http://bugs.exim.org/show_bug.cgi?id=1044
>

*snip*

> We could change the latter so that non-root and non-exim users invoking
> config files in ALT_CONFIG_PREFIX are *never* granted root privs, but
> I'm not sure we should. Comments?


+1

>
> We might also want to have a colon-separated list of acceptable directories. In
> which case perhaps it shouldn't be repurposing ALT_CONFIG_PREFIX, but should be
> a new, different, option?
>


+1

> We should *also* fix the CONFIGURE_USER and CONFIGURE_GROUP options, so that
> the exim user/group are not permitted to own the configuration files by default
> either.
>
>


Seems harmless. Even 'almost' transparent.

AFAIK they may be *permitted* to so own at present, but 'ordinarily' do not in
fact.

Eg: bog-standard *BSD install they are in ~/etc[/local]/exim/configure[n] and
owned by root:wheel anyway - not the exim daemon-runner or group.

(I can't speak for Linux)

Those using multiple [instance|parallel|selected] configs 'most likely' expect
to deal with several out of the ordinary situations, and could reasonably be
expected to support a change here in light of events.

Bill