[exim] Taint checker confusing error (blaming file but cause…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Christian Balzer
Datum:  
To: exim-users
Betreff: [exim] Taint checker confusing error (blaming file but caused by later ldap lookup)

Hello,

After upgrading a test server to Debian Bullseye (Exim 4.94.2) a simple
test resulted in this:
---
$ exim -v -bv miffy@???
LOG: MAIN PANIC
Tainted filename '/etc/exim4/localdomains'
LOG: MAIN PANIC DIE
failed to open /etc/exim4/localdomains when checking "@:localhost:/etc/exim4/localdomains:ldap;ldap::///ou=mail,dc=do,dc=main?mailDomain?sub?mailDomain=$domain": Permission denied (euid=110 egid=117)
---

The config line(s) causing this is already clear above, but here's the
real deal:
---
LOCALDOM = /etc/exim4/localdomains
domainlist local_domains = @:localhost:LOCALDOM:ldap;ldap::///ou=mail,dc=do,dc=main?mailDomain?sub?mailDomain=$domain
---

The cause is of course the use of $domain in the LDAP query, but both
the error nor the scope of taint checking are helpful here.
The permission denied bit is also a red herring, that file/macro gets used
happily by other (local delivery) routers.

Removing the LOCALDOM macro and thus the file name fixes it (so the tainted
$domain is fine for LDAP, gee), however this leaves one with questions.

When using $domain_data instead there is no taint error, alas that variable
does not get populated.
I think we have a chicken and egg problem here, as the router in question
does have a "domains = +local_domains" in it.
So the domain is not matched, the router not called and that's the end of that.

How would one populate $domain_data in this case?

Is there hope for a fix that would remove the false taint error in this case?

Thanks,

Christian
-- 
Christian Balzer        Network/Systems Engineer                
chibi@???       Rakuten Communications