Add TRUSTED_CONFIG_PREFIX_FILE option

[exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 578485ddd5af95a329c421c55834af69b2642f73..bbc3949c6015e3a074f2b2cc15d7cb8941f2fc07 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3334,14 +3334,17 @@ proceeding any further along the list, and an error is generated.
 When this option is used by a caller other than root, and the list is different
 from the compiled-in list, Exim gives up its root privilege immediately, and
 runs with the real and effective uid and gid set to those of the caller.
 When this option is used by a caller other than root, and the list is different
 from the compiled-in list, Exim gives up its root privilege immediately, and
 runs with the real and effective uid and gid set to those of the caller.

-
-This behaviour precludes the possibility of testing a configuration using
-&%-C%& right through message reception and delivery, even if the caller is
-root. The reception works, but by that time, Exim is running as the Exim user,
-so when it re-executes to regain privilege for the delivery, the use of &%-C%&
-causes privilege to be lost. However, root can test reception and delivery
-using two separate commands (one to put a message on the queue, using &%-odq%&,
-and another to do the delivery, using &%-M%&).
+However, if a TRUSTED_CONFIG_PREFIX_LIST file is defined in &_Local/Makefile_&,
+root privilege is retained for any configuration file which matches a prefix
+listed in that file.
+
+Leaving TRUSTED_CONFIG_PREFIX_LIST unset precludes the possibility of testing
+a configuration using &%-C%& right through message reception and delivery,
+even if the caller is root. The reception works, but by that time, Exim is
+running as the Exim user, so when it re-executes to regain privilege for the
+delivery, the use of &%-C%& causes privilege to be lost. However, root can
+test reception and delivery using two separate commands (one to put a message
+on the queue, using &%-odq%&, and another to do the delivery, using &%-M%&).

 
 If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a
 prefix string with which any file named in a &%-C%& command line option
 
 If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a
 prefix string with which any file named in a &%-C%& command line option


@@ -4525,19 +4528,21 @@ A one-off alternate configuration can be specified by the &%-C%& command line
 option, which may specify a single file or a list of files. However, when
 &%-C%& is used, Exim gives up its root privilege, unless called by root (or
 unless the argument for &%-C%& is identical to the built-in value from
 option, which may specify a single file or a list of files. However, when
 &%-C%& is used, Exim gives up its root privilege, unless called by root (or
 unless the argument for &%-C%& is identical to the built-in value from

-CONFIGURE_FILE). &%-C%& is useful mainly for checking the syntax of
-configuration files before installing them. No owner or group checks are done
-on a configuration file specified by &%-C%&.
-
-The Exim user is not trusted to specify an arbitrary configuration file with
-the &%-C%& option to be executed with root privileges. This locks out the
-possibility of testing a configuration using &%-C%& right through message
-reception and delivery, even if the caller is root. The reception works, but
-by that time, Exim is running as the Exim user, so when it re-execs to regain
-privilege for the delivery, the use of &%-C%& causes privilege to be lost.
-However, root can test reception and delivery using two separate commands
-(one to put a message on the queue, using &%-odq%&, and another to do the
-delivery, using &%-M%&).
+CONFIGURE_FILE) or matches a prefix listed in the TRUSTED_CONFIG_PREFIX_LIST
+file. &%-C%& is useful mainly for checking the syntax of configuration files
+before installing them. No owner or group checks are done on a configuration
+file specified by &%-C%&, if root privilege has been dropped.
+
+Even the Exim user is not trusted to specify an arbitrary configuration file
+with the &%-C%& option to be used with root privileges, unless that file is
+listed in the TRUSTED_CONFIG_PREFIX_LIST file. This locks out the possibility
+of testing a configuration using &%-C%& right through message reception and
+delivery, even if the caller is root. The reception works, but by that time,
+Exim is running as the Exim user, so when it re-execs to regain privilege for
+the delivery, the use of &%-C%& causes privilege to be lost. However, root
+can test reception and delivery using two separate commands (one to put a
+message on the queue, using &%-odq%&, and another to do the delivery, using
+&%-M%&).

 
 If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a
 prefix string with which any file named in a &%-C%& command line option must
 
 If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a
 prefix string with which any file named in a &%-C%& command line option must


@@ -33797,7 +33802,9 @@ which only root has access, this guards against someone who has broken
 into the Exim account from running a privileged Exim with an arbitrary
 configuration file, and using it to break into other accounts.
 .next
 into the Exim account from running a privileged Exim with an arbitrary
 configuration file, and using it to break into other accounts.
 .next

-If a non-default configuration file is specified with &%-C%&, or macros are
+If a non-trusted configuration file (i.e. the default configuration file or
+one which is trusted by virtue of matching a prefix listed in the
+TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are

 given with &%-D%&, then root privilege is retained only if the caller of Exim
 is root. This locks out the possibility of testing a configuration using &%-C%&
 right through message reception and delivery, even if the caller is root. The
 given with &%-D%&, then root privilege is retained only if the caller of Exim
 is root. This locks out the possibility of testing a configuration using &%-C%&
 right through message reception and delivery, even if the caller is root. The