[exim] Inconsistent detection of tainted command in ${run} 4…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\ 
MMAndrew Hearn at ->
Delete this message
Reply to this message
Author: Andrew Hearn
Date:  
To: exim-users
Subject: [exim] Inconsistent detection of tainted command in ${run} 4.96
Hi mailing list,

We have an external tool for checking user authentication, but running
it seems to be labelled as tainted inconsistently after upgrading to
4.96.

Here is our PLAIN auth: 

plain:
    driver = plaintext
    public_name = PLAIN
    server_prompts = :
    server_condition = ${run,preexpand{/usr/bin/eximpassword 
"--localpart=${local_part:$2}" "--hostname=${domain:$2}" 
"--password=${rxquote:$3}"}{yes}{no}}
    server_set_id = $2
    server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}


This results in a failure to run as apparently the path is tainted even
though it is hard coded:

722716 plain authenticator server_condition:

722716 $auth1 =

722716 $auth2 = user@???
722716 $auth3 = Password!
722716 $1 =

722716 $2 = user@???
722716 $3 = Password!
722716 direct command:

722716 argv[0] = '/usr/bin/eximpassword'

722716 argv[1] = '--localpart=user'
722716 argv[2] = '--hostname=example.com'
722716 argv[3] = '--password=Password!'
722716 LOG: MAIN PANIC

722716 Attempt to exec tainted path: '/usr/bin/eximpassword'

722716 expansion failed: couldn't create child process: Operation not
permitted

However, and here's where things get confusing, here is our LOGIN auth
where we run an *identical* command: 

login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = "Username:: : Password::"
    server_condition = ${run,preexpand{/usr/bin/eximpassword 
"--localpart=${local_part:$1}" "--hostname=${domain:$1}" 
"--password=${rxquote:$2}"}{yes}{no}}
    server_set_id = $1
    server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}


This works, as if untainted:

723062 login authenticator server_condition:
723062 $auth1 = user@???
723062 $auth2 = Password!
723062 $1 = user@???
723062 $2 = Password!
723062 direct command:
723062 argv[0] = '/usr/bin/eximpassword'
723062 argv[1] = '--localpart=user'
723062 argv[2] = '--hostname=example.com'
723062 argv[3] = '--password=Password!'
723062 daemon-accept forking for expand-run
723062 daemon-accept forked for expand-run: 723068
723068 postfork: expand-run
723062 expanded string: yes
723062 SMTP>> 235 Authentication succeeded

The documentation on
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html#SECID82
doesn't seem to cover how ${run} is checked for taint during expansion.

Why are seemingly identical commands inconsistently marked as tainted?
Is this a bug please? If it's by design is there any more documentation
about how ${run} is expanded please?

Thanks in advance,


--
Andrew.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Re: Pipe transport and script (shebang)[exim] Re: dmarc_history_file - incomplete data logged for spf and dkim->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)