Re: [exim-dev] Candidate patches for privilege escalation

Top Page
Delete this message
Reply to this message
Author: David Woodhouse
Date:  
To: Andreas Metzler
CC: exim-dev
Subject: Re: [exim-dev] Candidate patches for privilege escalation
On Sat, 2010-12-18 at 19:23 +0100, Andreas Metzler wrote:
> Afaiui the format of TRUSTED_CONFIG_LIST one filename per line (not a colon
> separated list). I do not think the documentation (spec.xfpt) says
> this. Could you clarify this?


Useful criticism; thanks. More useful if it were in 'diff -u' form
though :)

From 7f7f05454657fe756dd06d2ee11bfe70c5a1a9a0 Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@???>
Date: Sat, 18 Dec 2010 23:22:17 +0000
Subject: [PATCH] Make the documentation cleared that TRUSTED_CONFIG_LIST is pathname one per line

---
 doc/doc-docbook/spec.xfpt       |   10 ++++++----
 doc/doc-txt/IncompatibleChanges |    4 ++--
 doc/doc-txt/NewStuff            |    6 +++---
 3 files changed, 11 insertions(+), 9 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ed966ad..cd142e4 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3334,10 +3334,12 @@ proceeding any further along the list, and an error is generated.
When this option is used by a caller other than root, and the list is different
from the compiled-in list, Exim gives up its root privilege immediately, and
runs with the real and effective uid and gid set to those of the caller.
-However, if a TRUSTED_CONFIG_LIST file is defined in &_Local/Makefile_&, root
-privilege is retained for any configuration file which is listed in that file
-as long as the caller is the Exim user (or the user specified in the
-CONFIGURE_OWNER option, if any).
+However, if a TRUSTED_CONFIG_LIST file is defined in &_Local/Makefile_&, that
+file contains a list of full pathnames, one per line, for configuration files
+which are trusted. Root privilege is retained for any configuration file so
+listed, as long as the caller is the Exim user (or the user specified in the
+CONFIGURE_OWNER option, if any), and as long as the configuration file is
+not writeable by inappropriate users or groups.

 Leaving TRUSTED_CONFIG_LIST unset precludes the possibility of testing a
 configuration using &%-C%& right through message reception and delivery,
diff --git a/doc/doc-txt/IncompatibleChanges b/doc/doc-txt/IncompatibleChanges
index 50bf186..2d3394b 100644
--- a/doc/doc-txt/IncompatibleChanges
+++ b/doc/doc-txt/IncompatibleChanges
@@ -40,8 +40,8 @@ Exim version 4.73
    Two new build options mitigate this.


     * TRUSTED_CONFIG_LIST defines a file containing a whitelist of config
-      files that are trusted to be selected by the Exim user; this is the
-      recommended approach going forward.
+      files that are trusted to be selected by the Exim user; one per line.
+      This is the recommended approach going forward.


     * WHITELIST_D_MACROS defines a colon-separated list of macro names which
       the Exim run-time user may safely pass without dropping privileges.
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index a732d9b..f668ae1 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -103,9 +103,9 @@ Version 4.73
 12. [POSSIBLE CONFIG BREAKAGE] ALT_CONFIG_ROOT_ONLY is no longer optional and
     is forced on.  This is mitigated by the new build option
     TRUSTED_CONFIG_LIST which defines a list of configuration files which
-    are trusted; if a config file is owned by root and matches a pathname in
-    the list, then it may be invoked by the Exim build-time user without Exim
-    relinquishing root privileges.
+    are trusted; one per line. If a config file is owned by root and matches
+    a pathname in the list, then it may be invoked by the Exim build-time
+    user without Exim relinquishing root privileges.


 13. [POSSIBLE CONFIG BREAKAGE] The Exim user is no longer automatically
     trusted to supply -D<Macro[=Value]> overrides on the command-line.  Going
-- 
1.7.3.3



--
dwmw2