Re: [exim-dev] Security of ${dlfunc

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MW B Hacker at <-
MW B Hacker at ->
Delete this message
Reply to this message
Author: David Woodhouse
Date:  
To: W B Hacker
CC: exim-dev, Philip Hazel, Ted Cooper, Phil Pennock
Subject: Re: [exim-dev] Security of ${dlfunc
On Wed, 2010-12-15 at 08:10 -0500, W B Hacker wrote:
>
> At the very least, these over-helpful critters and their kin should be
> pulled
> back to non-default compile time options. And their hazards made VERY
> clear.

I disagree.

Firstly, the flexibility you're talking about is what makes Exim what it
is. If I wanted a crippled MTA that couldn't do half the things I
currently do with Exim, then I'd be using Postfix.

And secondly, the problem here is *not* the features. The problem here
is that we allowed its behaviour, when running as root, to be controlled
by a user that was not root and should not have been trusted. It was a
fault in the privilege separation design, pure and simple.

Even if we lost all the features which actually make Exim worthwhile,
and all it could do was append to a text file, that could still be
abused if the privilege separation isn't working right.

I think our direction at the moment, fixing the privilege separation
issues and allowing for only *certain* variations which are "blessed" in
advance by the root user, is the correct one.

--
dwmw2


This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-Re: [exim-dev] Latest releases on FreeBSD4Re: [exim-dev] [PATCH] Implement -D filtering, first pass.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)