From f33875c3a0a0ef03a2e53cfcd339791b793151f0 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Tue, 9 May 2017 16:00:58 -0400 Subject: [PATCH] Add option commandline_checks_require_admin May help with scenarios already so broken that bug report 2118 is actually an issue (Wordpress vuln). --- doc/doc-docbook/spec.xfpt | 52 +++++++++++++++++++++++++++++++++++-- doc/doc-txt/ChangeLog | 8 ++++++ doc/doc-txt/NewStuff | 3 +++ doc/doc-txt/OptionLists.txt | 1 + src/src/exim.c | 8 ++++++ src/src/globals.c | 1 + src/src/globals.h | 1 + src/src/readconf.c | 1 + 8 files changed, 73 insertions(+), 2 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 5b735907e..f33b193eb 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -13599,6 +13599,7 @@ listed in more than one group. .section "Privilege controls" "SECID98" .table2 .row &%admin_groups%& "groups that are Exim admin users" +.row &%commandline_checks_require_admin%& "require admin for various checks" .row &%deliver_drop_privilege%& "drop root for delivery processes" .row &%local_from_check%& "insert &'Sender:'& if necessary" .row &%local_from_prefix%& "for testing &'From:'& for local sender" @@ -14461,6 +14462,14 @@ The CHUNKING extension (RFC3030) will be advertised in the EHLO message to these hosts. Hosts may use the BDAT command as an alternate to DATA. +.new +.option commandline_checks_require_admin main boolean &`false`& +.cindex "restricting access to features" +This option restricts various basic checking features to require an +administrative user. +This affects most of the &%-b*%& options, such as &%-be%&. +.wen + .option debug_store main boolean &`false`& .cindex debugging "memory corruption" .cindex memory debugging @@ -15942,12 +15951,13 @@ different spool directories. .option prod_requires_admin main boolean true +.cindex "restricting access to features" .oindex "&%-M%&" .oindex "&%-R%&" .oindex "&%-q%&" The &%-M%&, &%-R%&, and &%-q%& command-line options require the caller to be an admin user unless &%prod_requires_admin%& is set false. See also -&%queue_list_requires_admin%&. +&%queue_list_requires_admin%& and &%commandline_checks_require_admin%&. .option qualify_domain main string "see below" @@ -15986,10 +15996,12 @@ next queue run. See also &%hold_domains%& and &%queue_smtp_domains%&. .option queue_list_requires_admin main boolean true +.cindex "restricting access to features" .oindex "&%-bp%&" The &%-bp%& command-line option, which lists the messages that are on the queue, requires the caller to be an admin user unless -&%queue_list_requires_admin%& is set false. See also &%prod_requires_admin%&. +&%queue_list_requires_admin%& is set false. +See also &%prod_requires_admin%& and &%commandline_checks_require_admin%&. .option queue_only main boolean false @@ -20333,11 +20345,15 @@ relative path is then passed to the transport unmodified. .option forbid_blackhole redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" If this option is true, the &':blackhole:'& item may not appear in a redirection list. .option forbid_exim_filter redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" If this option is set true, only Sieve filters are permitted when &%allow_filter%& is true. @@ -20345,7 +20361,9 @@ If this option is set true, only Sieve filters are permitted when .option forbid_file redirect boolean false +.cindex "restricting access to features" .cindex "delivery" "to file; forbidding" +.cindex "filter" "locking out certain features" .cindex "Sieve filter" "forbidding delivery to a file" .cindex "Sieve filter" "&""keep""& facility; disabling" If this option is true, this router may not generate a new address that @@ -20356,17 +20374,22 @@ locks out the Sieve's &"keep"& facility. .option forbid_filter_dlfunc redirect boolean false +.cindex "restricting access to features" .cindex "filter" "locking out certain features" If this option is true, string expansions in Exim filters are not allowed to make use of the &%dlfunc%& expansion facility to run dynamically loaded functions. .option forbid_filter_existstest redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" .cindex "expansion" "statting a file" If this option is true, string expansions in Exim filters are not allowed to make use of the &%exists%& condition or the &%stat%& expansion item. .option forbid_filter_logwrite redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" If this option is true, use of the logging facility in Exim filters is not permitted. Logging is in any case available only if the filter is being run under some unprivileged uid (which is normally the case for ordinary users' @@ -20374,27 +20397,37 @@ under some unprivileged uid (which is normally the case for ordinary users' .option forbid_filter_lookup redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" If this option is true, string expansions in Exim filter files are not allowed to make use of &%lookup%& items. .option forbid_filter_perl redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" This option has an effect only if Exim is built with embedded Perl support. If it is true, string expansions in Exim filter files are not allowed to make use of the embedded Perl support. .option forbid_filter_readfile redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" If this option is true, string expansions in Exim filter files are not allowed to make use of &%readfile%& items. .option forbid_filter_readsocket redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" If this option is true, string expansions in Exim filter files are not allowed to make use of &%readsocket%& items. .option forbid_filter_reply redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" If this option is true, this router may not generate an automatic reply message. Automatic replies can be generated only from Exim or Sieve filter files, not from traditional forward files. This option is forced to be true if @@ -20402,11 +20435,15 @@ files, not from traditional forward files. This option is forced to be true if .option forbid_filter_run redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" If this option is true, string expansions in Exim filter files are not allowed to make use of &%run%& items. .option forbid_include redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" If this option is true, items of the form .code :include: @@ -20415,6 +20452,8 @@ are not permitted in non-filter redirection lists. .option forbid_pipe redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" .cindex "delivery" "to pipe; forbidding" If this option is true, this router may not generate a new address which specifies delivery to a pipe, either from an Exim filter or from a conventional @@ -20422,6 +20461,8 @@ forward file. This option is forced to be true if &%one_time%& is set. .option forbid_sieve_filter redirect boolean false +.cindex "restricting access to features" +.cindex "filter" "locking out certain features" If this option is set true, only Exim filters are permitted when &%allow_filter%& is true. @@ -37957,6 +37998,13 @@ the contents of files on the spool via the Exim monitor (which runs unprivileged), Exim must be built to allow group read access to its spool files. +.new +By default, regular users are trusted to perform basic testing and +introspection commands, as themselves. This setting can be tightened by +setting the &%commandline_checks_require_admin%& option. +This affects most of the checking options, +such as &%-be%& and anything else &%-b*%&. +.wen .section "Spool files" "SECID275" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 2078b3521..4bc5235ec 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -78,6 +78,14 @@ JH/12 Fix check on SMTP command input synchronisation. Previously there were or prompt from Exim (running as a server), due to that code's lack of awareness of the SMTP input buferring. +PP/04 Add commandline_checks_require_admin option. + Exim drops privileges sanely, various checks such as -be aren't a + security problem, as long as you trust local users with access to their + own account. When invoked by services which pass untrusted data to + Exim, this might be an issue. Set this option in main configuration + AND make fixes to the calling application, such as using `--` to stop + processing options. + Exim version 4.89 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index cb2346f69..5fd7fbb29 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -35,6 +35,9 @@ Version 4.90 received using the ESMTP CHUNKING option, and when a new main-section option "spool_wireformat" (false by default) is set. + 8. New main configuration option "commandline_checks_require_admin" to + restrict who can use various introspection options. + Version 4.89 ------------ diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 95d321e5c..5728643a8 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -137,6 +137,7 @@ command string* unset lmtp command_group string unset queryprogram 4.00 command_timeout time 5m smtp command_user string unset queryprogram 4.00 +commandline_checks_require_admin boolean false main 4.90 condition string* unset routers 4.00 connect_timeout time 0s smtp 1.60 connection_max_messages integer 500 smtp 4.00 replaces batch_max diff --git a/src/src/exim.c b/src/src/exim.c index dcc84e3d5..67583e584 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -3868,6 +3868,14 @@ else trusted_caller = TRUE; } +/* At this point, we know if the user is privileged and some command-line +options become possibly imperssible, depending upon the configuration file. */ + +if (checking && commandline_checks_require_admin && !admin_user) { + fprintf(stderr, "exim: those command-line flags are set to require admin\n"); + exit(EXIT_FAILURE); +} + /* Handle the decoding of logging options. */ decode_bits(log_selector, log_selector_size, log_notall, diff --git a/src/src/globals.c b/src/src/globals.c index 46db4f373..9b455c9db 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -511,6 +511,7 @@ uschar *client_authenticated_id = NULL; uschar *client_authenticated_sender = NULL; int clmacro_count = 0; uschar *clmacros[MAX_CLMACROS]; +BOOL commandline_checks_require_admin = FALSE; BOOL config_changed = FALSE; FILE *config_file = NULL; const uschar *config_filename = NULL; diff --git a/src/src/globals.h b/src/src/globals.h index 63c9c29c7..056f1c213 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -282,6 +282,7 @@ extern uschar *client_authenticated_id; /* "login" name used for SMTP AUTH * extern uschar *client_authenticated_sender; /* AUTH option to SMTP MAIL FROM (not yet used) */ extern int clmacro_count; /* Number of command line macros */ extern uschar *clmacros[]; /* Copy of them, for re-exec */ +extern BOOL commandline_checks_require_admin; /* belt and braces for insecure setups */ extern int connection_max_messages;/* Max down one SMTP connection */ extern BOOL config_changed; /* True if -C used */ extern FILE *config_file; /* Configuration file */ diff --git a/src/src/readconf.c b/src/src/readconf.c index f43a3d163..95abaf5be 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -217,6 +217,7 @@ static optionlist optionlist_config[] = { { "check_spool_inodes", opt_int, &check_spool_inodes }, { "check_spool_space", opt_Kint, &check_spool_space }, { "chunking_advertise_hosts", opt_stringptr, &chunking_advertise_hosts }, + { "commandline_checks_require_admin", opt_bool,&commandline_checks_require_admin }, { "daemon_smtp_port", opt_stringptr|opt_hidden, &daemon_smtp_port }, { "daemon_smtp_ports", opt_stringptr, &daemon_smtp_port }, { "daemon_startup_retries", opt_int, &daemon_startup_retries }, -- 2.30.2