Re: [exim] Exim 4.94 Taint issues

Page principale
Supprimer ce message
Répondre à ce message
Auteur: The Doctor
Date:  
À: Dave Restall - System Administrator,,,
CC: exim-users
Sujet: Re: [exim] Exim 4.94 Taint issues
On Sat, Jul 18, 2020 at 10:25:52AM +0100, Dave Restall - System Administrator, , , via Exim-users wrote:
>
> On 2020-07-18 The Doctor via freebsd-ports <freebsd-ports@???> wrote:
>
> > Trying Exim 4.94 and I am getting
> >
> > 2020-07-17 19:28:04.818 [8344] 1jwbdQ-00023D-Cx == doctor@??? R=localuser T=local_delivery defer (-1) DT=0.001s: Tainted '/var/mail/doctor' (file or directory name for local_delivery transport) not permitted
> ...
> > 2020-07-17 19:30:09.228 [9608] 1jwbdQ-00023D-Cx == doctor@??? R=localuser T=local_delivery defer (-1) DT=0.001s: Tainted '/var/mail/doctor' (file or directory name for local_delivery transport) not permitted
> >
> > Why is this happening?
>
> You are not alone :-)
>
> 4.94 introduced more rigorous checking of expanded strings. Any strings
> that could potentially be supplied by a remote user e.g. $local_part have
> been classed as tainted. This means that they are not to be trusted to
> be used directly for things like file name expansion or database lookups.
> The log entries you are seeing are informing you that your lookups need
> a bit of sanitizing. Generally you can use the tainted data but you
> need to clean it before you use it e.g. quote it or use it to derive
> another variable.
>
> It's a bit more onerous but this is the price we have to pay for enhanced
> security in exim.
>
> Personally, I understand why the devs did this, it is a useful and
> worthwhile upgrade to exim, where I think they went wrong is that they
> didn't really handle the release of it quite well in the announcement
> and even pre-annnouncement. Something along the lines of "We're
> going to add strict de-tainting to exim 4.94 which will break a lot
> of configurations so please be ready to re-factor your configurations
> during the upgrade" would have been useful. If it was made plain,
> A LOT of users (me included) missed it so it could be argued that it
> wasn't made plain enough....
>
> The RTFM reply you got was not useful either. There should be a section
> in the manual purely about de-tainting, its reasoning, possible side
> effects and mitigations. As it currently is, anybody wanting information
> on what's going on has to trawl through the manual and make inferences
> from what they find.
>
> In short, the devs haven't covered themselves with glory with this
> upgrade - IMHO.
>
> Regards,
>
>

If this the fact that the mail directory is set to chmod 1777 ?


>
>
> D
> lists/exim/users/2020-07-18.tx                                 exim-users
> +----------------------------------------------------------------------------+
> | Dave Restall, Computer Anorak, Geek, Cyclist, Radio Amateur G4FCU, Bodger  |
> | Mob +44 (0) 7973 831245      Skype: dave.restall             Radio: G4FCU  |
> | email : dave@???  - Anti-SocialMediaist -  Web : Not Ready Yet :-( |
> +- QOTD ---------------------------------------------------------------------+
> | Reappraisal, n.:                                                           |
> |     An abrupt change of mind after being found out.                        |
> +----------------------------------------------------------------------------+

>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/


--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b
Slight not what's near, while aiming at what's far. -Euripides