Implement -D whitelist invoking user restriction.

Document WHITELIST_D_MACROS.

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 996b2e5d7288048bfd13cd56ef5e24d1b9ebd6e4..b2c40e48add835c3413090d959ca7dc27013b70a 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3374,6 +3374,14 @@ unprivileged caller, it causes Exim to give up its root privilege.
 If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is
 completely disabled, and its use causes an immediate error exit.
 
 If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is
 completely disabled, and its use causes an immediate error exit.
 

+If WHITELIST_D_MACROS is defined in &_Local/Makefile_& then it should be a
+colon-separated list of macros which are considered safe and, if &%-D%& only
+supplies macros from this list, and the values are acceptable, then Exim will
+not give up root privilege if the caller is root, the Exim run-time user, or
+the CONFIGURE_OWNER, if set.  This is a transition mechanism and is expected
+to be removed in the future.  Acceptable values for the macros satisfy the
+regexp: &`^[A-Za-z0-9_/.-]*$`&
+

 The entire option (including equals sign if present) must all be within one
 command line item. &%-D%& can be used to set the value of a macro to the empty
 string, in which case the equals sign is optional. These two commands are
 The entire option (including equals sign if present) must all be within one
 command line item. &%-D%& can be used to set the value of a macro to the empty
 string, in which case the equals sign is optional. These two commands are


@@ -4557,6 +4565,16 @@ non-privileged user causes Exim to discard its root privilege.
 If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is
 completely disabled, and its use causes an immediate error exit.
 
 If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is
 completely disabled, and its use causes an immediate error exit.
 

+The WHITELIST_D_MACROS option in &_Local/Makefile_& permits the binary builder
+to declare certain macro names trusted, such that root privilege will not
+necessarily be discarded.
+WHITELIST_D_MACROS defines a colon-separated list of macros which are
+considered safe and, if &%-D%& only supplies macros from this list, and the
+values are acceptable, then Exim will not give up root privilege if the caller
+is root, the Exim run-time user, or the CONFIGURE_OWNER, if set.  This is a
+transition mechanism and is expected to be removed in the future.  Acceptable
+values for the macros satisfy the regexp: &`^[A-Za-z0-9_/.-]*$`&
+

 Some sites may wish to use the same Exim binary on different machines that
 share a file system, but to use different configuration files on each machine.
 If CONFIGURE_FILE_USE_NODE is defined in &_Local/Makefile_&, Exim first
 Some sites may wish to use the same Exim binary on different machines that
 share a file system, but to use different configuration files on each machine.
 If CONFIGURE_FILE_USE_NODE is defined in &_Local/Makefile_&, Exim first


@@ -33805,7 +33823,8 @@ configuration file, and using it to break into other accounts.
 If a non-trusted configuration file (i.e. the default configuration file or
 one which is trusted by virtue of matching a prefix listed in the
 TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are
 If a non-trusted configuration file (i.e. the default configuration file or
 one which is trusted by virtue of matching a prefix listed in the
 TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are

-given with &%-D%&, then root privilege is retained only if the caller of Exim
+given with &%-D%& (but see the next item),
+then root privilege is retained only if the caller of Exim

 is root. This locks out the possibility of testing a configuration using &%-C%&
 right through message reception and delivery, even if the caller is root. The
 reception works, but by that time, Exim is running as the Exim user, so when
 is root. This locks out the possibility of testing a configuration using &%-C%&
 right through message reception and delivery, even if the caller is root. The
 reception works, but by that time, Exim is running as the Exim user, so when


@@ -33813,6 +33832,14 @@ it re-execs to regain privilege for the delivery, the use of &%-C%& causes
 privilege to be lost. However, root can test reception and delivery using two
 separate commands.
 .next
 privilege to be lost. However, root can test reception and delivery using two
 separate commands.
 .next

+The WHITELIST_D_MACROS build option declares some macros to be safe to override
+with &%-D%& if the real uid is one of root, the Exim run-time user or the
+CONFIGURE_OWNER, if defined.  The potential impact of this option is limited by
+requiring the run-time value supplied to &%-D%& to match a regex that errs on
+the restrictive side.  Requiring build-time selection of safe macros is onerous
+but this option is intended solely as a transition mechanism to permit
+previously-working configurations to continue to work after release 4.73.
+.next

 If DISABLE_D_OPTION is defined, the use of the &%-D%& command line option
 is disabled.
 .next
 If DISABLE_D_OPTION is defined, the use of the &%-D%& command line option
 is disabled.
 .next


@@ -33868,9 +33895,12 @@ uid and gid in the following cases:
 If the &%-C%& option is used to specify an alternate configuration file, or if
 the &%-D%& option is used to define macro values for the configuration, and the
 calling process is not running as root, the uid and gid are changed to those of
 If the &%-C%& option is used to specify an alternate configuration file, or if
 the &%-D%& option is used to define macro values for the configuration, and the
 calling process is not running as root, the uid and gid are changed to those of

- the calling process.
+the calling process.

 However, if DISABLE_D_OPTION is defined in &_Local/Makefile_&, the &%-D%&
 option may not be used at all.
 However, if DISABLE_D_OPTION is defined in &_Local/Makefile_&, the &%-D%&
 option may not be used at all.

+If WHITELIST_D_MACROS is defined in &_Local/Makefile_&, then some macro values
+can be supplied if the calling process is running as root, the Exim run-time
+user or CONFIGURE_OWNER, if defined.

 .next
 .oindex "&%-be%&"
 .oindex "&%-bf%&"
 .next
 .oindex "&%-be%&"
 .oindex "&%-bf%&"

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 386a15b8fd98c19d9c008e0ebc0f9130603374b0..162d6c5f6aeef09f0b67e56d6e8ab652e1b17295 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -99,6 +99,7 @@ PP/28 Add WHITELIST_D_MACROS option to let some macros be overriden by the
       Exim run-time user without dropping privileges.
 
 
       Exim run-time user without dropping privileges.
 
 

+

 Exim version 4.72
 -----------------
 
 Exim version 4.72
 -----------------
 

diff --git a/src/src/exim.c b/src/src/exim.c
index f50a62b944d4d4667e2d0bd9c480bb7d43ceb78f..7498682316ce34a6101340dccd7a464cb84f1a8d 100644 (file)
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -1159,6 +1159,21 @@ if (macros == NULL)
 return FALSE;
 #else
 
 return FALSE;
 #else
 

+/* We only trust -D overrides for some invoking users:
+root, the exim run-time user, the optional config owner user.
+I don't know why config-owner would be needed, but since they can own the
+config files anyway, there's no security risk to letting them override -D. */
+if ( ! ((real_uid == root_uid)
+     || (real_uid == exim_uid)
+#ifdef CONFIGURE_OWNER
+     || (real_uid == config_uid)
+#endif
+   ))
+  {
+  debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
+  return FALSE;
+  }
+

 /* Get a list of macros which are whitelisted */
 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
 prev_char_item = FALSE;
 /* Get a list of macros which are whitelisted */
 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
 prev_char_item = FALSE;