Re: [exim-dev] Security of ${dlfunc

Startseite
Nachricht löschen
Nachricht beantworten
Autor: David Woodhouse
Datum:  
To: W B Hacker
CC: exim-dev, Philip Hazel, Ted Cooper, Phil Pennock
Betreff: Re: [exim-dev] Security of ${dlfunc
On Wed, 2010-12-15 at 08:10 -0500, W B Hacker wrote:
>
> At the very least, these over-helpful critters and their kin should be
> pulled
> back to non-default compile time options. And their hazards made VERY
> clear.


I disagree.

Firstly, the flexibility you're talking about is what makes Exim what it
is. If I wanted a crippled MTA that couldn't do half the things I
currently do with Exim, then I'd be using Postfix.

And secondly, the problem here is *not* the features. The problem here
is that we allowed its behaviour, when running as root, to be controlled
by a user that was not root and should not have been trusted. It was a
fault in the privilege separation design, pure and simple.

Even if we lost all the features which actually make Exim worthwhile,
and all it could do was append to a text file, that could still be
abused if the privilege separation isn't working right.

I think our direction at the moment, fixing the privilege separation
issues and allowing for only *certain* variations which are "blessed" in
advance by the root user, is the correct one.

--
dwmw2