Re: [exim] Exim 4.94 Taint issues

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Dave Restall - System Administrator,,,
Datum:  
To: exim-users
Betreff: Re: [exim] Exim 4.94 Taint issues

On 2020-07-18 The Doctor via freebsd-ports <freebsd-ports@???> wrote:

> Trying Exim 4.94 and I am getting
>
> 2020-07-17 19:28:04.818 [8344] 1jwbdQ-00023D-Cx == doctor@??? R=localuser T=local_delivery defer (-1) DT=0.001s: Tainted '/var/mail/doctor' (file or directory name for local_delivery transport) not permitted

...
> 2020-07-17 19:30:09.228 [9608] 1jwbdQ-00023D-Cx == doctor@??? R=localuser T=local_delivery defer (-1) DT=0.001s: Tainted '/var/mail/doctor' (file or directory name for local_delivery transport) not permitted
>
> Why is this happening?


You are not alone :-)

4.94 introduced more rigorous checking of expanded strings. Any strings
that could potentially be supplied by a remote user e.g. $local_part have
been classed as tainted. This means that they are not to be trusted to
be used directly for things like file name expansion or database lookups.
The log entries you are seeing are informing you that your lookups need
a bit of sanitizing. Generally you can use the tainted data but you
need to clean it before you use it e.g. quote it or use it to derive
another variable.

It's a bit more onerous but this is the price we have to pay for enhanced
security in exim.

Personally, I understand why the devs did this, it is a useful and
worthwhile upgrade to exim, where I think they went wrong is that they
didn't really handle the release of it quite well in the announcement
and even pre-annnouncement. Something along the lines of "We're
going to add strict de-tainting to exim 4.94 which will break a lot
of configurations so please be ready to re-factor your configurations
during the upgrade" would have been useful. If it was made plain,
A LOT of users (me included) missed it so it could be argued that it
wasn't made plain enough....

The RTFM reply you got was not useful either. There should be a section
in the manual purely about de-tainting, its reasoning, possible side
effects and mitigations. As it currently is, anybody wanting information
on what's going on has to trawl through the manual and make inferences
from what they find.

In short, the devs haven't covered themselves with glory with this
upgrade - IMHO.

Regards,




D
lists/exim/users/2020-07-18.tx                                 exim-users
+----------------------------------------------------------------------------+

| Dave Restall, Computer Anorak, Geek, Cyclist, Radio Amateur G4FCU, Bodger  |
| Mob +44 (0) 7973 831245      Skype: dave.restall             Radio: G4FCU  |
| email : dave@???  - Anti-SocialMediaist -  Web : Not Ready Yet :-( |

+- QOTD ---------------------------------------------------------------------+
| Reappraisal, n.:                                                           |
|     An abrupt change of mind after being found out.                        |

+----------------------------------------------------------------------------+