Autor: David Woodhouse Datum: To: W B Hacker CC: exim-dev, Philip Hazel, Ted Cooper, Phil Pennock Betreff: Re: [exim-dev] Security of ${dlfunc
On Wed, 2010-12-15 at 08:10 -0500, W B Hacker wrote: >
> At the very least, these over-helpful critters and their kin should be
> pulled
> back to non-default compile time options. And their hazards made VERY
> clear.
I disagree.
Firstly, the flexibility you're talking about is what makes Exim what it
is. If I wanted a crippled MTA that couldn't do half the things I
currently do with Exim, then I'd be using Postfix.
And secondly, the problem here is *not* the features. The problem here
is that we allowed its behaviour, when running as root, to be controlled
by a user that was not root and should not have been trusted. It was a
fault in the privilege separation design, pure and simple.
Even if we lost all the features which actually make Exim worthwhile,
and all it could do was append to a text file, that could still be
abused if the privilege separation isn't working right.
I think our direction at the moment, fixing the privilege separation
issues and allowing for only *certain* variations which are "blessed" in
advance by the root user, is the correct one.