Re: [exim-dev] Candidate patches for privilege escalation

Top Page

Reply to this message
Author: David Woodhouse
Date:  
To: Ted Cooper
CC: exim-dev
Subject: Re: [exim-dev] Candidate patches for privilege escalation
On Fri, 2010-12-17 at 07:53 +1000, Ted Cooper wrote:
>
> > Screw it, let's forget the prefix and regex options. The
> > TRUSTED_CONFIG_LIST can just be a list of simple filenames. Must be a
> > *precise* match to be honoured as root. Why do anything more?
>
> I liked the prefix list for not having to list every file if they were
> all kept somewhere sane like /etc/exim . Am I confusing this with
> ALT_CONFIG_PREFIX ?


ALT_CONFIG_PREFIX, if you choose to set it, is a *restriction*. It says
"you may not use files outside this prefix, at all". I don't quite know
what it achieves, given that a user could build their own copy of Exim
and run it with the different config file anyway. Normal users don't get
to keep privs when they use the -C option anyway.

TRUSTED_CONFIG_{PREFIX_,}FILE, if you choose to set it, is the opposite
— it's essentially a setuid bit for config files, because it allows
*extra* files to be used while retaining root privileges, where normally
Exim would drop privs if the -C option is used.


Given that difference, it makes sense to me that we could use a prefix
match for ALT_CONFIG_PREFIX, but for TRUSTED_CONFIG_FILE we would
require files to be listed *individually* rather than using any form of
wildcard.


If you really do have an ever-changing set of config files that you want
to run in 'setuid' mode, then you can always have a script you run
automatically which auto-generates the TRUSTED_CONFIG_FILE list. Just
don't blame us when something goes wrong :)

--
dwmw2