[exim-cvs] Implement -D whitelist invoking user restriction.

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Implement -D whitelist invoking user restriction.
Gitweb: http://git.exim.org/exim.git/commitdiff/66581d1e830f4e68f2b074b8d79a80645c6a72ea
Commit:     66581d1e830f4e68f2b074b8d79a80645c6a72ea
Parent:     2cfd322193567dbbeca47b0fc0ee2836f46e2600
Author:     Phil Pennock <pdp@???>
AuthorDate: Wed Dec 15 02:43:33 2010 -0500
Committer:  David Woodhouse <David.Woodhouse@???>
CommitDate: Wed Dec 15 12:22:36 2010 +0000


    Implement -D whitelist invoking user restriction.


    Document WHITELIST_D_MACROS.
---
 doc/doc-docbook/spec.xfpt |   34 ++++++++++++++++++++++++++++++++--
 doc/doc-txt/ChangeLog     |    1 +
 src/src/exim.c            |   15 +++++++++++++++
 3 files changed, 48 insertions(+), 2 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 996b2e5..b2c40e4 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3374,6 +3374,14 @@ unprivileged caller, it causes Exim to give up its root privilege.
If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is
completely disabled, and its use causes an immediate error exit.

+If WHITELIST_D_MACROS is defined in &_Local/Makefile_& then it should be a
+colon-separated list of macros which are considered safe and, if &%-D%& only
+supplies macros from this list, and the values are acceptable, then Exim will
+not give up root privilege if the caller is root, the Exim run-time user, or
+the CONFIGURE_OWNER, if set. This is a transition mechanism and is expected
+to be removed in the future. Acceptable values for the macros satisfy the
+regexp: &`^[A-Za-z0-9_/.-]*$`&
+
The entire option (including equals sign if present) must all be within one
command line item. &%-D%& can be used to set the value of a macro to the empty
string, in which case the equals sign is optional. These two commands are
@@ -4557,6 +4565,16 @@ non-privileged user causes Exim to discard its root privilege.
If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is
completely disabled, and its use causes an immediate error exit.

+The WHITELIST_D_MACROS option in &_Local/Makefile_& permits the binary builder
+to declare certain macro names trusted, such that root privilege will not
+necessarily be discarded.
+WHITELIST_D_MACROS defines a colon-separated list of macros which are
+considered safe and, if &%-D%& only supplies macros from this list, and the
+values are acceptable, then Exim will not give up root privilege if the caller
+is root, the Exim run-time user, or the CONFIGURE_OWNER, if set.  This is a
+transition mechanism and is expected to be removed in the future.  Acceptable
+values for the macros satisfy the regexp: &`^[A-Za-z0-9_/.-]*$`&
+
 Some sites may wish to use the same Exim binary on different machines that
 share a file system, but to use different configuration files on each machine.
 If CONFIGURE_FILE_USE_NODE is defined in &_Local/Makefile_&, Exim first
@@ -33805,7 +33823,8 @@ configuration file, and using it to break into other accounts.
 If a non-trusted configuration file (i.e. the default configuration file or
 one which is trusted by virtue of matching a prefix listed in the
 TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are
-given with &%-D%&, then root privilege is retained only if the caller of Exim
+given with &%-D%& (but see the next item),
+then root privilege is retained only if the caller of Exim
 is root. This locks out the possibility of testing a configuration using &%-C%&
 right through message reception and delivery, even if the caller is root. The
 reception works, but by that time, Exim is running as the Exim user, so when
@@ -33813,6 +33832,14 @@ it re-execs to regain privilege for the delivery, the use of &%-C%& causes
 privilege to be lost. However, root can test reception and delivery using two
 separate commands.
 .next
+The WHITELIST_D_MACROS build option declares some macros to be safe to override
+with &%-D%& if the real uid is one of root, the Exim run-time user or the
+CONFIGURE_OWNER, if defined.  The potential impact of this option is limited by
+requiring the run-time value supplied to &%-D%& to match a regex that errs on
+the restrictive side.  Requiring build-time selection of safe macros is onerous
+but this option is intended solely as a transition mechanism to permit
+previously-working configurations to continue to work after release 4.73.
+.next
 If DISABLE_D_OPTION is defined, the use of the &%-D%& command line option
 is disabled.
 .next
@@ -33868,9 +33895,12 @@ uid and gid in the following cases:
 If the &%-C%& option is used to specify an alternate configuration file, or if
 the &%-D%& option is used to define macro values for the configuration, and the
 calling process is not running as root, the uid and gid are changed to those of
- the calling process.
+the calling process.
 However, if DISABLE_D_OPTION is defined in &_Local/Makefile_&, the &%-D%&
 option may not be used at all.
+If WHITELIST_D_MACROS is defined in &_Local/Makefile_&, then some macro values
+can be supplied if the calling process is running as root, the Exim run-time
+user or CONFIGURE_OWNER, if defined.
 .next
 .oindex "&%-be%&"
 .oindex "&%-bf%&"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 386a15b..162d6c5 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -99,6 +99,7 @@ PP/28 Add WHITELIST_D_MACROS option to let some macros be overriden by the
       Exim run-time user without dropping privileges.



+
Exim version 4.72
-----------------

diff --git a/src/src/exim.c b/src/src/exim.c
index f50a62b..7498682 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -1159,6 +1159,21 @@ if (macros == NULL)
return FALSE;
#else

+/* We only trust -D overrides for some invoking users:
+root, the exim run-time user, the optional config owner user.
+I don't know why config-owner would be needed, but since they can own the
+config files anyway, there's no security risk to letting them override -D. */
+if ( ! ((real_uid == root_uid)
+     || (real_uid == exim_uid)
+#ifdef CONFIGURE_OWNER
+     || (real_uid == config_uid)
+#endif
+   ))
+  {
+  debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
+  return FALSE;
+  }
+
 /* Get a list of macros which are whitelisted */
 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
 prev_char_item = FALSE;