Re: [exim-dev] Candidate patches for privilege escalation

Top Page

Reply to this message
Author: David Woodhouse
To: Andreas Metzler
CC: exim-dev
Subject: Re: [exim-dev] Candidate patches for privilege escalation
On Wed, 2010-12-15 at 19:22 +0100, Andreas Metzler wrote:
> <Mode proxy>
> Ian Jackson wrote on debian-devel on Tue, 14 Dec 2010:
> > Right. It should probably also refuse to read filenames matching
> > .* #* *# *~ *.tmp at the very least.
> >
> > You wouldn't want to edit your exim.conf to get rid of a security
> > problem and find that the attacker could just tell it to use the old
> > file !
> </proxy>

Hm, very true.

I don't want to hard-code things like that if we can avoid it.

Should we make the TRUSTED_CONFIG_PREFIX_LIST into a list of regexes
instead of a list of prefixes?