[exim] Inconsistent detection of tainted command in ${run} 4…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Andrew Hearn
Datum:  
To: exim-users
Betreff: [exim] Inconsistent detection of tainted command in ${run} 4.96
Hi mailing list,

We have an external tool for checking user authentication, but running
it seems to be labelled as tainted inconsistently after upgrading to
4.96.

Here is our PLAIN auth:

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = ${run,preexpand{/usr/bin/eximpassword
"--localpart=${local_part:$2}" "--hostname=${domain:$2}"
"--password=${rxquote:$3}"}{yes}{no}}
server_set_id = $2
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}

This results in a failure to run as apparently the path is tainted even
though it is hard coded:

722716 plain authenticator server_condition:
722716 $auth1 =
722716 $auth2 = user@???
722716 $auth3 = Password!
722716 $1 =
722716 $2 = user@???
722716 $3 = Password!
722716 direct command:
722716 argv[0] = '/usr/bin/eximpassword'
722716 argv[1] = '--localpart=user'
722716 argv[2] = '--hostname=example.com'
722716 argv[3] = '--password=Password!'
722716 LOG: MAIN PANIC
722716 Attempt to exec tainted path: '/usr/bin/eximpassword'
722716 expansion failed: couldn't create child process: Operation not
permitted

However, and here's where things get confusing, here is our LOGIN auth
where we run an **identical** command:

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${run,preexpand{/usr/bin/eximpassword
"--localpart=${local_part:$1}" "--hostname=${domain:$1}"
"--password=${rxquote:$2}"}{yes}{no}}
server_set_id = $1
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}

This works, as if untainted:

723062 login authenticator server_condition:
723062 $auth1 = user@???
723062 $auth2 = Password!
723062 $1 = user@???
723062 $2 = Password!
723062 direct command:
723062 argv[0] = '/usr/bin/eximpassword'
723062 argv[1] = '--localpart=user'
723062 argv[2] = '--hostname=example.com'
723062 argv[3] = '--password=Password!'
723062 daemon-accept forking for expand-run
723062 daemon-accept forked for expand-run: 723068
723068 postfork: expand-run
723062 expanded string: yes
723062 SMTP>> 235 Authentication succeeded

The documentation on
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html#SECID82
doesn't seem to cover how ${run} is checked for taint during expansion.

Why are seemingly identical commands inconsistently marked as tainted? Is
this a bug please? If it's by design is there any more documentation
about how ${run} is expanded please?

Thanks in advance,


--
Andrew.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/