Gitweb:
http://git.exim.org/exim.git/commitdiff/66581d1e830f4e68f2b074b8d79a80645c6a72ea
Commit: 66581d1e830f4e68f2b074b8d79a80645c6a72ea
Parent: 2cfd322193567dbbeca47b0fc0ee2836f46e2600
Author: Phil Pennock <pdp@???>
AuthorDate: Wed Dec 15 02:43:33 2010 -0500
Committer: David Woodhouse <David.Woodhouse@???>
CommitDate: Wed Dec 15 12:22:36 2010 +0000
Implement -D whitelist invoking user restriction.
Document WHITELIST_D_MACROS.
---
doc/doc-docbook/spec.xfpt | 34 ++++++++++++++++++++++++++++++++--
doc/doc-txt/ChangeLog | 1 +
src/src/exim.c | 15 +++++++++++++++
3 files changed, 48 insertions(+), 2 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 996b2e5..b2c40e4 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3374,6 +3374,14 @@ unprivileged caller, it causes Exim to give up its root privilege.
If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is
completely disabled, and its use causes an immediate error exit.
+If WHITELIST_D_MACROS is defined in &_Local/Makefile_& then it should be a
+colon-separated list of macros which are considered safe and, if &%-D%& only
+supplies macros from this list, and the values are acceptable, then Exim will
+not give up root privilege if the caller is root, the Exim run-time user, or
+the CONFIGURE_OWNER, if set. This is a transition mechanism and is expected
+to be removed in the future. Acceptable values for the macros satisfy the
+regexp: &`^[A-Za-z0-9_/.-]*$`&
+
The entire option (including equals sign if present) must all be within one
command line item. &%-D%& can be used to set the value of a macro to the empty
string, in which case the equals sign is optional. These two commands are
@@ -4557,6 +4565,16 @@ non-privileged user causes Exim to discard its root privilege.
If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is
completely disabled, and its use causes an immediate error exit.
+The WHITELIST_D_MACROS option in &_Local/Makefile_& permits the binary builder
+to declare certain macro names trusted, such that root privilege will not
+necessarily be discarded.
+WHITELIST_D_MACROS defines a colon-separated list of macros which are
+considered safe and, if &%-D%& only supplies macros from this list, and the
+values are acceptable, then Exim will not give up root privilege if the caller
+is root, the Exim run-time user, or the CONFIGURE_OWNER, if set. This is a
+transition mechanism and is expected to be removed in the future. Acceptable
+values for the macros satisfy the regexp: &`^[A-Za-z0-9_/.-]*$`&
+
Some sites may wish to use the same Exim binary on different machines that
share a file system, but to use different configuration files on each machine.
If CONFIGURE_FILE_USE_NODE is defined in &_Local/Makefile_&, Exim first
@@ -33805,7 +33823,8 @@ configuration file, and using it to break into other accounts.
If a non-trusted configuration file (i.e. the default configuration file or
one which is trusted by virtue of matching a prefix listed in the
TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are
-given with &%-D%&, then root privilege is retained only if the caller of Exim
+given with &%-D%& (but see the next item),
+then root privilege is retained only if the caller of Exim
is root. This locks out the possibility of testing a configuration using &%-C%&
right through message reception and delivery, even if the caller is root. The
reception works, but by that time, Exim is running as the Exim user, so when
@@ -33813,6 +33832,14 @@ it re-execs to regain privilege for the delivery, the use of &%-C%& causes
privilege to be lost. However, root can test reception and delivery using two
separate commands.
.next
+The WHITELIST_D_MACROS build option declares some macros to be safe to override
+with &%-D%& if the real uid is one of root, the Exim run-time user or the
+CONFIGURE_OWNER, if defined. The potential impact of this option is limited by
+requiring the run-time value supplied to &%-D%& to match a regex that errs on
+the restrictive side. Requiring build-time selection of safe macros is onerous
+but this option is intended solely as a transition mechanism to permit
+previously-working configurations to continue to work after release 4.73.
+.next
If DISABLE_D_OPTION is defined, the use of the &%-D%& command line option
is disabled.
.next
@@ -33868,9 +33895,12 @@ uid and gid in the following cases:
If the &%-C%& option is used to specify an alternate configuration file, or if
the &%-D%& option is used to define macro values for the configuration, and the
calling process is not running as root, the uid and gid are changed to those of
- the calling process.
+the calling process.
However, if DISABLE_D_OPTION is defined in &_Local/Makefile_&, the &%-D%&
option may not be used at all.
+If WHITELIST_D_MACROS is defined in &_Local/Makefile_&, then some macro values
+can be supplied if the calling process is running as root, the Exim run-time
+user or CONFIGURE_OWNER, if defined.
.next
.oindex "&%-be%&"
.oindex "&%-bf%&"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 386a15b..162d6c5 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -99,6 +99,7 @@ PP/28 Add WHITELIST_D_MACROS option to let some macros be overriden by the
Exim run-time user without dropping privileges.
+
Exim version 4.72
-----------------
diff --git a/src/src/exim.c b/src/src/exim.c
index f50a62b..7498682 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -1159,6 +1159,21 @@ if (macros == NULL)
return FALSE;
#else
+/* We only trust -D overrides for some invoking users:
+root, the exim run-time user, the optional config owner user.
+I don't know why config-owner would be needed, but since they can own the
+config files anyway, there's no security risk to letting them override -D. */
+if ( ! ((real_uid == root_uid)
+ || (real_uid == exim_uid)
+#ifdef CONFIGURE_OWNER
+ || (real_uid == config_uid)
+#endif
+ ))
+ {
+ debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
+ return FALSE;
+ }
+
/* Get a list of macros which are whitelisted */
whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
prev_char_item = FALSE;
