Autor: Phil Pennock Data: A: Dr Andrew C Aitchison CC: Exim Users Assumpte: Re: [exim] dynamically loaded lookups - was Re: Exim 4.74 imminent,
security fix
On 2011-01-26 at 10:14 +0000, Dr Andrew C Aitchison wrote: > On Fri, 21 Jan 2011, Phil Pennock wrote:
>
> > Also, this release includes changes to let lookups by dynamically loaded
> > by Exim, so that library dependencies can be constrained to .so files.
> > This is known to work on Linux and FreeBSD. This is primarily intended
> > for use by OS packagers, since if you're building your own Exim you
> > should know which libraries you need and it will be faster to not have
> > to repeatedly load modules.
> >
> > While this dynamic module support is mostly the same as the patches
> > which have been used for some time by some OS packagers, there is an ABI
> > change, so modules from previous patched Exim builds will not work with
> > this, the first "official" support of dynamically loaded modules.
>
> The diff from 4.73 is big enough that it isn't trivially obvious
> that the are sanity checks to stop a (local) hacker from substituting
> non-standard libraries. Can you confirm this ?
Yes.
All dynamically loadable lookups must be stored in a directory whose
name is specified at compile-time. Lookup names can not be specified,
so there are no directory traversal attacks; instead, that directory is
scanned, on every Exim invocation, and Exim attempts to load files
therein. [Exim re-invokes itself for every delivery attempt, so that's
quite often.]
There is no policy on ownership of files in that directory. Admins are
responsible for maintaining the security of that directory.
Note that the extra manual loading of lookups adds time and, for a
postmaster-maintained install, buys you nothing. For anyone maintaining
a mail-system that handles large volumes, you probably don't want this.
The facility does *not* permit adding new lookup-types dynamically, the
source still needs to be modified for each new lookup.
This facility exists solely for OS packagers, who want to be able to
ship an Exim which can use lots of facilities if available, but not have
the main Exim binary link against all of them and force people to
install three RDBMS systems, etc. A .so can link against missing
libraries, and if I recall correctly, then this just means that the
lookup fails to load and Exim continues on its way.
So, for low-volume mail setups running pre-packaged binaries, the lookup
facility makes sense, and has been maintained out-of-tree by them for
years now, as a Linux-only patch. We just finally accepted this into
the "official" source.