Dengler, Gabriel via Exim-users <exim-users@???> (Mi 02 Nov 2022 19:03:34 CET):
> About the security caveats: do you think that there could be bigger security
> issues if the code runs in an isolated environment like Gramine is? Or can
> you sketch how a possible security attack could look?
If I remember well, until we introduced keep_environment and
add_environment, the following was possible as an unprivileged user
("hans"):
$ export PERL5LIB=/home/hans
$ /usr/sbin/exim …
In the above scenario the Exim config used Perl functions,
loaded from external Perl modules (assuemed to be in one of the
default Perl library paths),
By the above modification an unprivileged user was able get more
privileges by "injecting" malicious Perl functions.
I can imagine that a similar approach will work with LD_LIBRARY_PATH.
But … doesn't the loader clean the LD_LIBRARY_PATH if the RUID differs
from the EUID?
See ld.so(8) for LD_LIBRARY_PATH. Given that, I'm curious why setting
this variable works in your environment.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
