[exim-dev] Candidate patches for privilege escalation

Top Page

Reply to this message
Author: David Woodhouse
Date:  
To: exim-dev
New-Topics: [exim-dev] [PATCH 2/6] Don't allow a configure file which is writeable by the Exim user or group, [exim-dev] [PATCH 6/6] Set FD_CLOEXEC on SMTP sockets after forking to handle the connection., [exim-dev] [PATCH 3/6] Check configure file permissions even for non-default files if still privileged, [exim-dev] [PATCH 5/6] Add TRUSTED_CONFIG_PREFIX_FILE option, [exim-dev] [PATCH 1/6] Add Valgrind hooks for memory pools, [exim-dev] [PATCH 4/6] Remove ALT_CONFIG_ROOT_ONLY build option, effectively making it always true.
Subject: [exim-dev] Candidate patches for privilege escalation
I've just pushed a set of patches to
    http://git.exim.org/users/dwmw2/exim.git
    git://git.exim.org/users/dwmw2/exim.git


They do the following:

- Add Valgrind hooks to the store pools to aid debugging.

- Don't use config files as root if they're writeable by non-root
users/groups. Including the Exim user/group.

- Kill ALT_CONFIG_ROOT_ONLY as discussed, so only root can specify
arbitrary files on the command line with the -C option. If the Exim
user uses -C, or uses the -D option to set macros, then root privs
will be dropped.

- Add a TRUSTED_CONFIG_PREFIX_FILE option. If set, it gives a filename
for a file that contains prefix strings, like the ALT_CONFIG_PREFIX.
Each line in that file specifies a prefix for config files which are
to be trusted, and executed with root privilege if seen in the -C
option, regardless of which user Exim is invoked by. As long as the
config file is not writeable by anyone but root, of course.

- Set FD_CLOEXEC on SMTP sockets after forking to handle the connection.


The TRUSTED_CONFIG_PREFIX_FILE one wants a little more attention; I
haven't properly tested it yet. But it's 3am so not right now...

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@???                              Intel Corporation