Re: [exim-dev] [PATCH 2/3] Don't allow a configure file whic…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: David Woodhouse
Dátum:  
Címzett: Andreas Metzler, exim-dev
Tárgy: Re: [exim-dev] [PATCH 2/3] Don't allow a configure file which iswriteable by the Exim user or group
Thanks for the feedback. I'll fix that and push later this evening.

With that done, I think the biggest issue with privilege escalation is mostly dealt with. An attacker can't make their own config file; they'd have to find a root-owned file lying around which looked enough like an Exim config and did something stupid.

It's not a panacea; we do want to kill ALT_CONFIG_ROOT_ONLY too and do some kind of whitelist of trusted configs. But it's a large part of the answer.

--
dwmw2