Re: [exim-dev] Candidate patches for privilege escalation

Top Page

Reply to this message
Author: W B Hacker
To: David Woodhouse
CC: Phil Pennock, exim-dev
Subject: Re: [exim-dev] Candidate patches for privilege escalation
David Woodhouse wrote:
> On Mon, 2010-12-13 at 18:01 -0500, Phil Pennock wrote:
>> One of the installation modes for mailscanner is to make the spool
>> directory be a macro:
> Wait a minute, wasn't that broken even *before* we started to further
> restrict the use of -C and -D?
> It says (near the end):
>     If there is any software running on the machine that generates email
>     that should be scanned (e.g. a webmail application) you can still use
>     this setup, but you must configure the application either to submit
>     email via SMTP, or to use the extra command-line options
>     -odq -DSPOOL=/var/spool/

> But if the application gave -DSPOOL= on the command line, it wouldn't
> have been trusted. Exim would have dropped privileges to the *real*
> user, not to Exim. And thus wouldn't have been allowed to write to the
> spool.

.... all depending on the user and group membership of said 'real' user, AND
those of the spool.

Locally alterable, as in our practice w/r the 'postal' group.

Hence even testing 'vanilla' installs is at best indicative of devel *intent*,
not of real-world practice. Your arms reach only to the hands.

For the same reason, several of the restrictions presently in-work are not.

Against gaining 'root' one certainly hopes.

But as a barrier to rude behaviour of other group co-workers?

Not necessarily.

Not sure extensive compiled-in perms checking would be more help than hindrance,
either (fresh scars from PostgreSQL biting me in the anatomy on that score not
24 hours ago).