Implement -D whitelist invoking user restriction.

Document WHITELIST_D_MACROS.

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 996b2e5d7288048bfd13cd56ef5e24d1b9ebd6e4..b2c40e48add835c3413090d959ca7dc27013b70a 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3374,6 +3374,14 @@ unprivileged caller, it causes Exim to give up its root privilege.
 If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is
 completely disabled, and its use causes an immediate error exit.
 
+If WHITELIST_D_MACROS is defined in &_Local/Makefile_& then it should be a
+colon-separated list of macros which are considered safe and, if &%-D%& only
+supplies macros from this list, and the values are acceptable, then Exim will
+not give up root privilege if the caller is root, the Exim run-time user, or
+the CONFIGURE_OWNER, if set.  This is a transition mechanism and is expected
+to be removed in the future.  Acceptable values for the macros satisfy the
+regexp: &`^[A-Za-z0-9_/.-]*$`&
+
 The entire option (including equals sign if present) must all be within one
 command line item. &%-D%& can be used to set the value of a macro to the empty
 string, in which case the equals sign is optional. These two commands are
@@ -4557,6 +4565,16 @@ non-privileged user causes Exim to discard its root privilege.
 If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is
 completely disabled, and its use causes an immediate error exit.
 
+The WHITELIST_D_MACROS option in &_Local/Makefile_& permits the binary builder
+to declare certain macro names trusted, such that root privilege will not
+necessarily be discarded.
+WHITELIST_D_MACROS defines a colon-separated list of macros which are
+considered safe and, if &%-D%& only supplies macros from this list, and the
+values are acceptable, then Exim will not give up root privilege if the caller
+is root, the Exim run-time user, or the CONFIGURE_OWNER, if set.  This is a
+transition mechanism and is expected to be removed in the future.  Acceptable
+values for the macros satisfy the regexp: &`^[A-Za-z0-9_/.-]*$`&
+
 Some sites may wish to use the same Exim binary on different machines that
 share a file system, but to use different configuration files on each machine.
 If CONFIGURE_FILE_USE_NODE is defined in &_Local/Makefile_&, Exim first
@@ -33805,7 +33823,8 @@ configuration file, and using it to break into other accounts.
 If a non-trusted configuration file (i.e. the default configuration file or
 one which is trusted by virtue of matching a prefix listed in the
 TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are
-given with &%-D%&, then root privilege is retained only if the caller of Exim
+given with &%-D%& (but see the next item),
+then root privilege is retained only if the caller of Exim
 is root. This locks out the possibility of testing a configuration using &%-C%&
 right through message reception and delivery, even if the caller is root. The
 reception works, but by that time, Exim is running as the Exim user, so when
@@ -33813,6 +33832,14 @@ it re-execs to regain privilege for the delivery, the use of &%-C%& causes
 privilege to be lost. However, root can test reception and delivery using two
 separate commands.
 .next
+The WHITELIST_D_MACROS build option declares some macros to be safe to override
+with &%-D%& if the real uid is one of root, the Exim run-time user or the
+CONFIGURE_OWNER, if defined.  The potential impact of this option is limited by
+requiring the run-time value supplied to &%-D%& to match a regex that errs on
+the restrictive side.  Requiring build-time selection of safe macros is onerous
+but this option is intended solely as a transition mechanism to permit
+previously-working configurations to continue to work after release 4.73.
+.next
 If DISABLE_D_OPTION is defined, the use of the &%-D%& command line option
 is disabled.
 .next
@@ -33868,9 +33895,12 @@ uid and gid in the following cases:
 If the &%-C%& option is used to specify an alternate configuration file, or if
 the &%-D%& option is used to define macro values for the configuration, and the
 calling process is not running as root, the uid and gid are changed to those of
- the calling process.
+the calling process.
 However, if DISABLE_D_OPTION is defined in &_Local/Makefile_&, the &%-D%&
 option may not be used at all.
+If WHITELIST_D_MACROS is defined in &_Local/Makefile_&, then some macro values
+can be supplied if the calling process is running as root, the Exim run-time
+user or CONFIGURE_OWNER, if defined.
 .next
 .oindex "&%-be%&"
 .oindex "&%-bf%&"

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 386a15b8fd98c19d9c008e0ebc0f9130603374b0..162d6c5f6aeef09f0b67e56d6e8ab652e1b17295 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -99,6 +99,7 @@ PP/28 Add WHITELIST_D_MACROS option to let some macros be overriden by the
       Exim run-time user without dropping privileges.
 
 
+
 Exim version 4.72
 -----------------
 

diff --git a/src/src/exim.c b/src/src/exim.c
index f50a62b944d4d4667e2d0bd9c480bb7d43ceb78f..7498682316ce34a6101340dccd7a464cb84f1a8d 100644 (file)
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -1159,6 +1159,21 @@ if (macros == NULL)
 return FALSE;
 #else
 
+/* We only trust -D overrides for some invoking users:
+root, the exim run-time user, the optional config owner user.
+I don't know why config-owner would be needed, but since they can own the
+config files anyway, there's no security risk to letting them override -D. */
+if ( ! ((real_uid == root_uid)
+     || (real_uid == exim_uid)
+#ifdef CONFIGURE_OWNER
+     || (real_uid == config_uid)
+#endif
+   ))
+  {
+  debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
+  return FALSE;
+  }
+
 /* Get a list of macros which are whitelisted */
 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
 prev_char_item = FALSE;