X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/5dc43717a3cf7349094cb552c81e86bc205f9b30..c1d94452b1b7f3620ee3cc9aa197ad98821de79f:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 14c1bf8d8..049b2b6b0 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1,4 +1,4 @@ -. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.87 2010/06/12 15:21:25 jetmore Exp $ +. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.88 2010/06/14 18:51:09 pdp Exp $ . . ///////////////////////////////////////////////////////////////////////////// . This is the primary source of the Exim Manual. It is an xfpt document that is @@ -3184,12 +3184,15 @@ the listening daemon. .cindex "testing", "malware" .cindex "malware scan test" This debugging option causes Exim to scan the given file, -using the malware scanning framework. The option of av_scanner influences -this option, so if av_scanner's value is dependent upon an expansion then -the expansion should have defaults which apply to this invocation. Exim will -have changed working directory before resolving the filename, so using fully -qualified pathnames is advisable. Exim will be running as the Exim user -when it tries to open the file, rather than as the invoking user. +using the malware scanning framework. The option of &%av_scanner%& influences +this option, so if &%av_scanner%&'s value is dependent upon an expansion then +the expansion should have defaults which apply to this invocation. ACLs are +not invoked, so if &%av_scanner%& references an ACL variable then that variable +will never be populated and &%-bmalware%& will fail. + +Exim will have changed working directory before resolving the filename, so +using fully qualified pathnames is advisable. Exim will be running as the Exim +user when it tries to open the file, rather than as the invoking user. This option requires admin privileges. The &%-bmalware%& option will not be extended to be more generally useful, @@ -4498,17 +4501,21 @@ existing file in the list. .cindex "configuration file" "ownership" .cindex "ownership" "configuration file" The run time configuration file must be owned by root or by the user that is -specified at compile time by the EXIM_USER option, or by the user that is specified at compile time by the CONFIGURE_OWNER option (if set). The -configuration file must not be world-writeable or group-writeable, unless its -group is the one specified at compile time by the EXIM_GROUP option or by the +configuration file must not be world-writeable, or group-writeable unless its +group is the root group or the one specified at compile time by the CONFIGURE_GROUP option. &*Warning*&: In a conventional configuration, where the Exim binary is setuid to root, anybody who is able to edit the run time configuration file has an -easy way to run commands as root. If you make your mail administrators members -of the Exim group, but do not trust them with root, make sure that the run time -configuration is not group writeable. +easy way to run commands as root. If you specify a user or group in the +CONFIGURE_OWNER or CONFIGURE_GROUP options, then that user and/or any users +who are members of that group will trivially be able to obtain root privileges. + +Up to Exim version 4.72, the run time configuration file was also permitted to +be writeable by the Exim user and/or group. That has been changed in Exim 4.73 +since it offered a simple privilege escalation for any attacker who managed to +compromise the Exim user account. A default configuration file, which will work correctly in simple situations, is provided in the file &_src/configure.default_&. If CONFIGURE_FILE