Update upgrade notes and source about use of seteuid()

(cherry picked from commit bc13bbca6e07267dfe0c4d275bb0a2e9aabf1dfb)
(cherry picked from commit fee1a06ec05e58e0cda8cf04f28240688736f945)

diff --git a/doc/doc-txt/Exim4.upgrade b/doc/doc-txt/Exim4.upgrade
index 528d94d9c30aa15b909cdac8f76e16ec65814a14..86d4a4ddac5eb70979d73f75148544ced51220a4 100644 (file)
--- a/doc/doc-txt/Exim4.upgrade
+++ b/doc/doc-txt/Exim4.upgrade
@@ -468,11 +468,12 @@ Generic Router Options
 . The way that require_files works has been changed. Each item in the list is
   now separately expanded as the test proceeds. The use of leading ! and +
   characters is unchanged. However, user and group checking is done differently.
-  Previously, seteuid() was used, but seteuid() is no longer used in Exim (see
-  "Security" below). Instead, Exim now scans along the components of the file
-  path and checks the access for the given uid and gid. It expects "x" access
-  on directories and "r" on the final file. This means that file access control
-  lists (on those operating systems that have them) are ignored.
+  Previously, seteuid() was used, but seteuid() is no longer used (see
+  "Security" below) for checking the files required by this option. Instead,
+  Exim now scans along the components of the file path and checks the access
+  for the given uid and gid. It expects "x" access on directories and "r" on
+  the final file. This means that file access control lists (on those
+  operating systems that have them) are ignored.
 
 
 Other Consequences of the Director/Router Merge
@@ -1380,8 +1381,11 @@ Security
 --------
 
 Exim 3 could be run in a variety of ways as far as security was concerned. This
-has all been simplified in Exim 4. The security-conscious might like to know
-that it no longer makes any use of the seteuid() function.
+has all been simplified in Exim 4. Exim dropped the use of seteuid() in
+most places. But recent (2020-10/2021-04) vulnerabilities forced us to
+re-introduce seteuid() for opening the database files (hint files) as secure as
+possible. For future (>= 4.95) versions we work on a solution that
+does not need the seteuid call.
 
 . A UID and GID are required to be specified when Exim is compiled. They can be
   now specified by name as well as by number, so the relevant options are now

diff --git a/src/src/deliver.c b/src/src/deliver.c
index cf8ab09ebda1ab2001ed077ac02cf4c211f5f746..4e472ebe6bb8b34056033d577d56364a9f71a46e 100644 (file)
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -2097,9 +2097,9 @@ return FALSE;
 
 /* Each local delivery is performed in a separate process which sets its
 uid and gid as specified. This is a safer way than simply changing and
-restoring using seteuid(); there is a body of opinion that seteuid() cannot be
-used safely. From release 4, Exim no longer makes any use of it. Besides, not
-all systems have seteuid().
+restoring using seteuid(); there is a body of opinion that seteuid()
+cannot be used safely. From release 4, Exim no longer makes any use of
+it for delivery. Besides, not all systems have seteuid().
 
 If the uid/gid are specified in the transport_instance, they are used; the
 transport initialization must ensure that either both or neither are set.