[exim-cvs] Change the default for system_filter_user.

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Change the default for system_filter_user.
Gitweb: http://git.exim.org/exim.git/commitdiff/79d4bc3d95d75446a2d149ca35525f078a978027
Commit:     79d4bc3d95d75446a2d149ca35525f078a978027
Parent:     1e83d68b72d24d6255d2e78facbe01656515ab4f
Author:     Phil Pennock <pdp@???>
AuthorDate: Tue Dec 14 00:30:30 2010 -0500
Committer:  Phil Pennock <pdp@???>
CommitDate: Tue Dec 14 00:30:30 2010 -0500


    Change the default for system_filter_user.


    If the system filter needs to be run as root, let that be explicitly
    configured.  The default is now the Exim run-time user.


    Document this, and a couple of other points, in IncompatibleChanges.
---
 doc/doc-txt/ChangeLog           |    3 ++
 doc/doc-txt/IncompatibleChanges |   45 +++++++++++++++++++++++++++++++++++++++
 doc/doc-txt/NewStuff            |    3 ++
 src/src/exim.c                  |    4 +++
 src/src/globals.c               |    2 +-
 5 files changed, 56 insertions(+), 1 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 624e0a8..fe9c42a 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -92,6 +92,9 @@ DW/25 Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration
 DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure
       that rogue child processes cannot use them.


+PP/27 Bugzilla 1047: change the default for system_filter_user to be the Exim
+      run-time user, instead of root.
+


 Exim version 4.72
 -----------------
diff --git a/doc/doc-txt/IncompatibleChanges b/doc/doc-txt/IncompatibleChanges
new file mode 100644
index 0000000..b578faa
--- /dev/null
+++ b/doc/doc-txt/IncompatibleChanges
@@ -0,0 +1,45 @@
+Preamble
+========
+
+Normally The Exim Maintainers ensure that a configuration which works
+with version N will work with version N+1, within a major version number
+(eg, 4).
+
+Occasionally this will not be the case; usually, those changes will be
+at the end of a long notice period where admins have been encouraged to
+move away and even then, we are hesitant to fully break things without
+strong cause to move away.
+
+This does not apply to "experimental" features, which can be withdrawn
+or changed with little notice, although we still endeavour to limit
+that.  We may choose to note those changes here too.
+
+The most likely cause of a backwards-incompatible change is a security
+improvement, where the benefits for everyone strongly outweigh the needs
+of the few.
+
+
+Changes
+=======
+
+Exim version 4.73
+-----------------
+
+ * The Exim run-time user can no longer be root; this was always
+   strongly discouraged, but is now prohibited both at build and
+   run-time.  If you need Exim to run routinely as root, you'll need to
+   patch the source and accept the risk.  Here be dragons.
+
+ * Exim will no longer accept a configuration file owned by the Exim
+   run-time user, unless that account is explicitly the value in
+   CONFIGURE_OWNER, which we discourage.  Exim now checks to ensure that
+   files are not writable by other accounts.
+
+ * ALT_CONFIG_ROOT_ONLY is no longer optional and is forced on; the Exim
+   user can no longer use -C/-D and retain privilege.
+
+ * The system_filter_user option now defaults to the Exim run-time user,
+   rather than root.  You can still set it explicitly to root and this
+   can be done with prior versions too, letting you roll versions
+   without needing to change this configuration option.
+
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 2609d0a..cedfc6e 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -94,6 +94,9 @@ Version 4.73
     default value is set at build time using the TCP_WRAPPERS_DAEMON_NAME
     build option.


+11. [POSSIBLE CONFIG BREAKAGE] The default value for system_filter_user is now
+    the Exim run-time user, instead of root.
+


Version 4.72
------------
diff --git a/src/src/exim.c b/src/src/exim.c
index 6b82013..729114c 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -1268,6 +1268,10 @@ if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
}
#endif

+/* We default the system_filter_user to be the Exim run-time user, as a
+sane non-root value. */
+system_filter_uid = exim_uid;
+
#ifdef CONFIGURE_GROUPNAME
if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
{
diff --git a/src/src/globals.c b/src/src/globals.c
index f77fbcc..500691c 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1189,7 +1189,7 @@ uschar *system_filter_reply_transport = NULL;

 gid_t   system_filter_gid      = 0;
 BOOL    system_filter_gid_set  = FALSE;
-uid_t   system_filter_uid      = 0;
+uid_t   system_filter_uid      = (uid_t)-1;
 BOOL    system_filter_uid_set  = FALSE;
 BOOL    system_filtering       = FALSE;