Re: [exim-dev] Candidate patches for privilege escalation

Top Page

Reply to this message
Author: David Woodhouse
To: Phil Pennock
CC: exim-dev
Subject: Re: [exim-dev] Candidate patches for privilege escalation
On Tue, 2010-12-14 at 03:48 -0500, Phil Pennock wrote:
> On 2010-12-14 at 08:06 +0000, David Woodhouse wrote:
> > On Mon, 2010-12-13 at 18:01 -0500, Phil Pennock wrote:
> > >
> > > One of the installation modes for mailscanner is to make the spool
> > > directory be a macro:
> > >
> > >
> >
> > Wait a minute, wasn't that broken even *before* we started to further
> > restrict the use of -C and -D?
> No, because mailscanner runs as the Exim user, so is therefore trusted.

But this was for use by applications which are generating email that
needs to be scanned. It's not clear that *those* are trusted.

Anyway, the build-time list of macros which may be defined without
losing privs, with appropriate restrictions on the *content* of those
macros, ought to be fine. If you want to implement that, I have no
objections so it even though I'm not really convinced we *need* it.