[exim-dev] [PATCH 3/3] Check configure file permissions even…

Top Page
Delete this message
Reply to this message
Author: David Woodhouse
Date:  
To: exim-dev
Subject: [exim-dev] [PATCH 3/3] Check configure file permissions even for non-default files if still privileged
(Bug 1044, CVE-2010-4345)
---
 doc/doc-txt/ChangeLog |    5 +++++
 src/src/exim.c        |    2 --
 src/src/globals.c     |    2 ++
 src/src/globals.h     |    2 ++
 src/src/readconf.c    |    6 +++---
 5 files changed, 12 insertions(+), 5 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 99a6f17..0063c6b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -78,6 +78,11 @@ DW/22 Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour
       of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a
       configuration file which is writeable by the Exim user or group.


+DW/23 Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability
+      of configuration files to cover files specified with the -C option if
+      they are going to be used with root privileges, not just the default
+      configuration file.
+


 Exim version 4.72
 -----------------
diff --git a/src/src/exim.c b/src/src/exim.c
index 50950fa..2a480c4 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -1191,8 +1191,6 @@ BOOL queue_only_set = FALSE;
 BOOL receiving_message = TRUE;
 BOOL sender_ident_set = FALSE;
 BOOL session_local_queue_only;
-BOOL unprivileged;
-BOOL removed_privilege = FALSE;
 BOOL usage_wanted = FALSE;
 BOOL verify_address_mode = FALSE;
 BOOL verify_as_sender = FALSE;
diff --git a/src/src/globals.c b/src/src/globals.c
index 9b77d87..91b5fab 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -936,6 +936,7 @@ uschar *regex_match_string     = NULL;
 int     remote_delivery_count  = 0;
 int     remote_max_parallel    = 2;
 uschar *remote_sort_domains    = NULL;
+BOOL    removed_privilege      = FALSE;
 int     retry_data_expire      = 7*24*60*60;
 int     retry_interval_max     = 24*60*60;
 int     retry_maximum_timeout  = 0;        /* set from retry config */
@@ -1274,6 +1275,7 @@ uschar *timezone_string        = US TIMEZONE_DEFAULT;


 uschar *unknown_login          = NULL;
 uschar *unknown_username       = NULL;
+BOOL    unprivileged;
 uschar *untrusted_set_sender   = NULL;


 /*  A regex for matching a "From_" line in an incoming message, in the form
diff --git a/src/src/globals.h b/src/src/globals.h
index d66880e..cf6c2e1 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -600,6 +600,7 @@ extern uschar *regex_match_string;     /* regex that matched a line (regex ACL c
 extern int     remote_delivery_count;  /* Number of remote addresses */
 extern int     remote_max_parallel;    /* Maximum parallel delivery */
 extern uschar *remote_sort_domains;    /* Remote domain sorting order */
+extern BOOL    removed_privilege;      /* TRUE if we dropped root privs due to -C or -D options */
 extern retry_config *retries;          /* Chain of retry config information */
 extern int     retry_data_expire;      /* When to expire retry data */
 extern int     retry_interval_max;     /* Absolute maximum */
@@ -789,6 +790,7 @@ extern uschar *timezone_string;        /* Required timezone setting */


 extern uschar *unknown_login;          /* To use when login id unknown */
 extern uschar *unknown_username;       /* Ditto */
+extern BOOL    unprivileged;           /* Exim started in unprivileged state */
 extern uschar *untrusted_set_sender;   /* Let untrusted users set these senders */
 extern uschar *uucp_from_pattern;      /* For recognizing "From " lines */
 extern uschar *uucp_from_sender;       /* For building the sender */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 414b7ae..1f6eca8 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -2874,10 +2874,10 @@ else
       "configuration file %s", filename));
   }


-/* Check the status of the file we have opened, unless it was specified on
-the command line, in which case privilege was given away at the start. */
+/* Check the status of the file we have opened, if we have retained root
+privileges. */

-if (!config_changed)
+if (!unprivileged && !removed_privilege)
   {
   if (fstat(fileno(config_file), &statbuf) != 0)
     log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to stat configuration file %s",
-- 
1.7.3.2