From: Heiko Schlittermann (HS12-RIPE) Date: Wed, 21 Apr 2021 05:52:39 +0000 (+0200) Subject: Update upgrade notes and source about use of seteuid() X-Git-Tag: exim-4.95-RC0~51^2~5 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/9370c62082c6596c3eaf5dcf6c0b29cf002bd321 Update upgrade notes and source about use of seteuid() (cherry picked from commit bc13bbca6e07267dfe0c4d275bb0a2e9aabf1dfb) (cherry picked from commit fee1a06ec05e58e0cda8cf04f28240688736f945) --- diff --git a/doc/doc-txt/Exim4.upgrade b/doc/doc-txt/Exim4.upgrade index 528d94d9c..86d4a4dda 100644 --- a/doc/doc-txt/Exim4.upgrade +++ b/doc/doc-txt/Exim4.upgrade @@ -468,11 +468,12 @@ Generic Router Options . The way that require_files works has been changed. Each item in the list is now separately expanded as the test proceeds. The use of leading ! and + characters is unchanged. However, user and group checking is done differently. - Previously, seteuid() was used, but seteuid() is no longer used in Exim (see - "Security" below). Instead, Exim now scans along the components of the file - path and checks the access for the given uid and gid. It expects "x" access - on directories and "r" on the final file. This means that file access control - lists (on those operating systems that have them) are ignored. + Previously, seteuid() was used, but seteuid() is no longer used (see + "Security" below) for checking the files required by this option. Instead, + Exim now scans along the components of the file path and checks the access + for the given uid and gid. It expects "x" access on directories and "r" on + the final file. This means that file access control lists (on those + operating systems that have them) are ignored. Other Consequences of the Director/Router Merge @@ -1380,8 +1381,11 @@ Security -------- Exim 3 could be run in a variety of ways as far as security was concerned. This -has all been simplified in Exim 4. The security-conscious might like to know -that it no longer makes any use of the seteuid() function. +has all been simplified in Exim 4. Exim dropped the use of seteuid() in +most places. But recent (2020-10/2021-04) vulnerabilities forced us to +re-introduce seteuid() for opening the database files (hint files) as secure as +possible. For future (>= 4.95) versions we work on a solution that +does not need the seteuid call. . A UID and GID are required to be specified when Exim is compiled. They can be now specified by name as well as by number, so the relevant options are now diff --git a/src/src/deliver.c b/src/src/deliver.c index cf8ab09eb..4e472ebe6 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -2097,9 +2097,9 @@ return FALSE; /* Each local delivery is performed in a separate process which sets its uid and gid as specified. This is a safer way than simply changing and -restoring using seteuid(); there is a body of opinion that seteuid() cannot be -used safely. From release 4, Exim no longer makes any use of it. Besides, not -all systems have seteuid(). +restoring using seteuid(); there is a body of opinion that seteuid() +cannot be used safely. From release 4, Exim no longer makes any use of +it for delivery. Besides, not all systems have seteuid(). If the uid/gid are specified in the transport_instance, they are used; the transport initialization must ensure that either both or neither are set.