Author: Phil Pennock Date: To: David Woodhouse CC: exim-dev Subject: Re: [exim-dev] Candidate patches for privilege escalation
On 2010-12-13 at 14:24 +0000, David Woodhouse wrote: > On Sun, 2010-12-12 at 05:28 -0500, Phil Pennock wrote:
> > > - Don't use config files as root if they're writeable by non-root
> > > users/groups. Including the Exim user/group.
> >
> > This appears to be a mis-leading statement. Really, you're removing the
> > Exim user/group from being permitted owners by default. But if instead
> > we look at what you wrote as the goal, then this is awkward.
>
> I gave you a fairly firm rebuttal to this, but I don't want to give the
> impression that I'm not open to alternative suggestions. We do need to
> be very careful about the privilege separation though, otherwise it's
> just a fig leaf. I'd be very interested to hear alternatives if you have
> them.
>
> OTOH if we *have* reached a consensus that what's in my git tree is
> fairly much the way forward, then I'd like to push it today and then we
> can concentrate on testing and making sure that the extra restrictions
> haven't broken functionality in various corner cases.
I'm concerned about the -MC* case, with -C/-D options being passed down
from a root-invoked Exim, reinvoking itself for delivery. Otherwise,
looks fine to me.
Perhaps, for the Exim-user case, we block -C and let the config file
define a list of macros which can be overriden on the command-line with
-D when the user is Exim? That way, things like -DTLS can be passed
through safely.
I really am concerned that without this, we're going to break some
working setups.
