From 10385c155b0e1266c02535b76ab73b32fa83d73f Mon Sep 17 00:00:00 2001
From: Phil Pennock <pdp@exim.org>
Date: Sun, 6 Jun 2010 02:46:13 +0000
Subject: [PATCH] No longer permit the exim user to be root.  Fixes: #752

---
 doc/doc-txt/ChangeLog |  4 +++-
 doc/doc-txt/NewStuff  | 14 +++++++++++++-
 src/src/EDITME        |  5 ++---
 src/src/buildconfig.c | 16 +++++++++++++++-
 src/src/exim.c        |  8 +++++++-
 5 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 85edf47d1..8c88085f8 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.625 2010/06/06 02:08:50 pdp Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.626 2010/06/06 02:46:13 pdp Exp $
 
 Change log file for Exim from version 4.21
 -------------------------------------------
@@ -40,6 +40,8 @@ PP/11 Bugzilla 922: Documentation dusting, patch provided by John Horne.
 
 PP/12 Bugzilla 973: Implement --version.
 
+PP/13 Bugzilla 752: Refuse to build/run if Exim user is root/0.
+
 
 Exim version 4.72
 -----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index fb7e9528c..03c0d4833 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/NewStuff,v 1.171 2010/06/06 01:35:41 pdp Exp $
+$Cambridge: exim/doc/doc-txt/NewStuff,v 1.172 2010/06/06 02:46:13 pdp Exp $
 
 New Features in Exim
 --------------------
@@ -63,6 +63,18 @@ Version 4.73
       control = debug/opts=+expand+acl
       control = debug/tag=.$message_exim_id/opts=+expand
 
+ 7. It has always been implicit in the design and the documentation that
+    "the Exim user" is not root.  src/EDITME said that using root was
+    "very strongly discouraged".  This is not enough to keep people from
+    shooting themselves in the foot in days when many don't configure Exim
+    themselves but via package build managers.  The security consequences of
+    running various bits of network code are severe if there should be bugs in
+    them.  As such, the Exim user may no longer be root.  If configured
+    statically, Exim will refuse to build.  If configured as ref:user then Exim
+    will exit shortly after start-up.  If you must shoot yourself in the foot,
+    then henceforth you will have to maintain your own local patches to strip
+    the safeties off.
+
 
 Version 4.72
 ------------
diff --git a/src/src/EDITME b/src/src/EDITME
index 85922f8aa..7f7f6b3a4 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -1,4 +1,4 @@
-# $Cambridge: exim/src/src/EDITME,v 1.25 2010/06/05 11:13:29 pdp Exp $
+# $Cambridge: exim/src/src/EDITME,v 1.26 2010/06/06 02:46:13 pdp Exp $
 
 ##################################################
 #          The Exim mail transport agent         #
@@ -131,8 +131,7 @@ CONFIGURE_FILE=/usr/exim/configure
 # group that is used for Exim processes when they no longer need to be root. In
 # particular, this applies when receiving messages and when doing remote
 # deliveries. (Local deliveries run as various non-root users, typically as the
-# owner of a local mailbox.) Specifying these values as root is very strongly
-# discouraged.
+# owner of a local mailbox.) Specifying these values as root is not supported.
 
 EXIM_USER=
 
diff --git a/src/src/buildconfig.c b/src/src/buildconfig.c
index 51fe02618..36561a968 100644
--- a/src/src/buildconfig.c
+++ b/src/src/buildconfig.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/buildconfig.c,v 1.15 2009/11/16 19:50:36 nm4 Exp $ */
+/* $Cambridge: exim/src/src/buildconfig.c,v 1.16 2010/06/06 02:46:13 pdp Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -356,6 +356,7 @@ while (fgets(buffer, sizeof(buffer), base) != NULL)
     uid_t uid = 0;
     gid_t gid = 0;
     int gid_set = 0;
+    int uid_not_set = 0;
     char *username = NULL;
     char *groupname = NULL;
     char *s;
@@ -410,6 +411,7 @@ while (fgets(buffer, sizeof(buffer), base) != NULL)
       while (isspace(*user)) user++;
       username = user;
       gid_set = 1;
+      uid_not_set = 1;
       }
 
     else
@@ -503,6 +505,18 @@ while (fgets(buffer, sizeof(buffer), base) != NULL)
       return 1;
       }
 
+    /* security sanity checks
+    if ref: is being used, we can never be sure, but we can take reasonable
+    steps to filter out the most obvious ones.  */
+
+    if ((!uid_not_set && uid == 0) ||
+        (strcmp(username, "root") == 0) ||
+        (strcmp(username, "toor") == 0) )
+      {
+      printf("\n*** Exim's internal user must not be root.\n\n");
+      return 1;
+      }
+
     /* Output user and group names or uid/gid. When names are set, uid/gid
     are set to zero but will be replaced at runtime. */
 
diff --git a/src/src/exim.c b/src/src/exim.c
index 36f7a1b3d..a68a06227 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/exim.c,v 1.68 2010/06/06 02:08:50 pdp Exp $ */
+/* $Cambridge: exim/src/src/exim.c,v 1.69 2010/06/06 02:46:13 pdp Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -1234,6 +1234,12 @@ This is a feature to make the lives of binary distributors easier. */
 #ifdef EXIM_USERNAME
 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
   {
+  if (exim_uid == 0)
+    {
+    fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
+      EXIM_USERNAME);
+    exit(EXIT_FAILURE);
+    }
   exim_gid = pw->pw_gid;
   }
 else
-- 
2.30.2