Re: [exim-dev] Security of ${dlfunc

On 13/12/10 23:02, Tony Finch wrote:
> ${dlfunc is not included in the default build. If it is included then
> anyone who can modify the configuration file can insert arbitrary code
> into Exim, since ${dlfunc includes the filename of the shared object to be
> loaded. IIRC when developing the feature I thought this was OK since it's
> roughly as dangerous as ${run. Clearly this isn't in fact OK.
>
> I propose to change the feature to allow the shared object to be specified
> at compile time instead of run time. This has the advantage of making the
> configuration syntax less cluttered. For compatibility I'll allow a set of
> acceptable shared object parent directories to be compiled in, so if a
> filename is specified in ${dlfunc then it can be checked for safety.
> The idea is similar logic to David's config file safety work.
>
> PS. sorry for my lack of contributions last week. I couldn't keep up with
> the rest of you so never had anything to add!

I thought the point of dlfunc was to allow for code to be included in
Exim that wasn't compiled in to start with. ie If you were using Debian
4.69 light and wanted some special piece of code to do do whatzit, you
just dlfunc include some code and voila, all done. If the binary has to
be recompiled, it somewhat defeats the whole purpose of it.

The changes to the allowed config file and when root priv is being
dropped should be enough to protect ${run} and by the comparison in your
post, ${dlfunc}