Bug 1071: fix delivery logging with untrusted macros.

[exim.git] / src / src / exim.c

diff --git a/src/src/exim.c b/src/src/exim.c
index 67fbc5cf7a9a558ae3b9d422eb71fdf2f9d05f69..e236975061be2c14ee851ac0979a200b8cb90ddd 100644 (file)
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -942,6 +942,17 @@ DEBUG(D_any) do {
       lookup_list[i]->version_report(f);
     }
 
+#ifdef WHITELIST_D_MACROS
+  fprintf(f, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
+#else
+  fprintf(f, "WHITELIST_D_MACROS unset\n");
+#endif
+#ifdef TRUSTED_CONFIG_LIST
+  fprintf(f, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
+#else
+  fprintf(f, "TRUSTED_CONFIG_LIST unset\n");
+#endif
+
 } while (0);
 }
 
@@ -3327,9 +3338,13 @@ if ((                                            /* EITHER */
   and should be used for any logging information because attempts to write
   to the log will usually fail. To arrange this, we unset really_exim. However,
   if no stderr is available there is no point - we might as well have a go
-  at the log (if it fails, syslog will be written). */
+  at the log (if it fails, syslog will be written).
+
+  Note that if the invoker is Exim, the logs remain available. Messing with
+  this causes unlogged successful deliveries.  */
 
-  if (log_stderr != NULL) really_exim = FALSE;
+  if ((log_stderr != NULL) && (real_uid != exim_uid))
+    really_exim = FALSE;
   }
 
 /* Privilege is to be retained for the moment. It may be dropped later,
@@ -3885,14 +3900,14 @@ else
   no need to complain then. */
   if (rv == -1)
     {
-    if (!unprivileged)
+    if (!(unprivileged || removed_privilege))
       {
       fprintf(stderr,
           "exim: changing group failed: %s\n", strerror(errno));
       exit(EXIT_FAILURE);
       }
     else
-      debug_printf("changing group to %ld failed: %s\n",
+      DEBUG(D_any) debug_printf("changing group to %ld failed: %s\n",
           (long int)exim_gid, strerror(errno));
     }
   }