-. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.84 2010/06/07 08:23:20 pdp Exp $
+. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.88 2010/06/14 18:51:09 pdp Exp $
.
. /////////////////////////////////////////////////////////////////////////////
. This is the primary source of the Exim Manual. It is an xfpt document that is
.section "Use of tcpwrappers" "SECID27"
.cindex "tcpwrappers, building Exim to support"
.cindex "USE_TCP_WRAPPERS"
+.cindex "TCP_WRAPPERS_DAEMON_NAME"
+.cindex "tcp_wrappers_daemon_name"
Exim can be linked with the &'tcpwrappers'& library in order to check incoming
SMTP calls using the &'tcpwrappers'& control files. This may be a convenient
alternative to Exim's own checking facilities for installations that are
CFLAGS=-O -I/usr/local/include
EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
.endd
-in &_Local/Makefile_&. The name to use in the &'tcpwrappers'& control files is
-&"exim"&. For example, the line
+in &_Local/Makefile_&. The daemon name to use in the &'tcpwrappers'& control
+files is &"exim"&. For example, the line
.code
exim : LOCAL 192.168.1. .friendly.domain.example
.endd
in your &_/etc/hosts.allow_& file allows connections from the local host, from
the subnet 192.168.1.0/24, and from all hosts in &'friendly.domain.example'&.
-All other connections are denied. Consult the &'tcpwrappers'& documentation for
+All other connections are denied. The daemon name used by &'tcpwrappers'&
+can be changed at build time by setting TCP_WRAPPERS_DAEMON_NAME in
+in &_Local/Makefile_&, or by setting tcp_wrappers_daemon_name in the
+configure file. Consult the &'tcpwrappers'& documentation for
further details.
.cindex "testing", "malware"
.cindex "malware scan test"
This debugging option causes Exim to scan the given file,
-using the malware scanning framework. The option of av_scanner influences
-this option, so if av_scanner's value is dependent upon an expansion then
-the expansion should have defaults which apply to this invocation. Exim will
-have changed working directory before resolving the filename, so using fully
-qualified pathnames is advisable. This option requires admin privileges.
+using the malware scanning framework. The option of &%av_scanner%& influences
+this option, so if &%av_scanner%&'s value is dependent upon an expansion then
+the expansion should have defaults which apply to this invocation. ACLs are
+not invoked, so if &%av_scanner%& references an ACL variable then that variable
+will never be populated and &%-bmalware%& will fail.
+
+Exim will have changed working directory before resolving the filename, so
+using fully qualified pathnames is advisable. Exim will be running as the Exim
+user when it tries to open the file, rather than as the invoking user.
+This option requires admin privileges.
+
+The &%-bmalware%& option will not be extended to be more generally useful,
+there are better tools for file-scanning. This option exists to help
+administrators verify their Exim and AV scanner configuration.
.vitem &%-bt%&
.oindex "&%-bt%&"
file that exists is used. Failure to open an existing file stops Exim from
proceeding any further along the list, and an error is generated.
-When this option is used by a caller other than root or the Exim user, and the
-list is different from the compiled-in list, Exim gives up its root privilege
-immediately, and runs with the real and effective uid and gid set to those of
-the caller. However, if ALT_CONFIG_ROOT_ONLY is defined in
-&_Local/Makefile_&, root privilege is retained for &%-C%& only if the caller of
-Exim is root.
-
-That is, the Exim user is no longer privileged in this regard. This build-time
-option is not set by default in the Exim source distribution tarbundle.
-However, if you are using a &"packaged"& version of Exim (source or binary),
-the packagers might have enabled it.
-
-Setting ALT_CONFIG_ROOT_ONLY locks out the possibility of testing a
-configuration using &%-C%& right through message reception and delivery, even
-if the caller is root. The reception works, but by that time, Exim is running
-as the Exim user, so when it re-executes to regain privilege for the delivery,
-the use of &%-C%& causes privilege to be lost. However, root can test reception
-and delivery using two separate commands (one to put a message on the queue,
-using &%-odq%&, and another to do the delivery, using &%-M%&).
+When this option is used by a caller other than root, and the list is different
+from the compiled-in list, Exim gives up its root privilege immediately, and
+runs with the real and effective uid and gid set to those of the caller.
+However, if a TRUSTED_CONFIG_PREFIX_LIST file is defined in &_Local/Makefile_&,
+root privilege is retained for any configuration file which matches a prefix
+listed in that file.
+
+Leaving TRUSTED_CONFIG_PREFIX_LIST unset precludes the possibility of testing
+a configuration using &%-C%& right through message reception and delivery,
+even if the caller is root. The reception works, but by that time, Exim is
+running as the Exim user, so when it re-executes to regain privilege for the
+delivery, the use of &%-C%& causes privilege to be lost. However, root can
+test reception and delivery using two separate commands (one to put a message
+on the queue, using &%-odq%&, and another to do the delivery, using &%-M%&).
If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a
prefix string with which any file named in a &%-C%& command line option
.cindex "configuration file" "ownership"
.cindex "ownership" "configuration file"
The run time configuration file must be owned by root or by the user that is
-specified at compile time by the EXIM_USER option, or by the user that is
specified at compile time by the CONFIGURE_OWNER option (if set). The
-configuration file must not be world-writeable or group-writeable, unless its
-group is the one specified at compile time by the EXIM_GROUP option or by the
+configuration file must not be world-writeable, or group-writeable unless its
+group is the root group or the one specified at compile time by the
CONFIGURE_GROUP option.
&*Warning*&: In a conventional configuration, where the Exim binary is setuid
to root, anybody who is able to edit the run time configuration file has an
-easy way to run commands as root. If you make your mail administrators members
-of the Exim group, but do not trust them with root, make sure that the run time
-configuration is not group writeable.
+easy way to run commands as root. If you specify a user or group in the
+CONFIGURE_OWNER or CONFIGURE_GROUP options, then that user and/or any users
+who are members of that group will trivially be able to obtain root privileges.
+
+Up to Exim version 4.72, the run time configuration file was also permitted to
+be writeable by the Exim user and/or group. That has been changed in Exim 4.73
+since it offered a simple privilege escalation for any attacker who managed to
+compromise the Exim user account.
A default configuration file, which will work correctly in simple situations,
is provided in the file &_src/configure.default_&. If CONFIGURE_FILE
.cindex "configuration file" "alternate"
A one-off alternate configuration can be specified by the &%-C%& command line
option, which may specify a single file or a list of files. However, when
-&%-C%& is used, Exim gives up its root privilege, unless called by root or the
-Exim user (or unless the argument for &%-C%& is identical to the built-in value
-from CONFIGURE_FILE). &%-C%& is useful mainly for checking the syntax of
-configuration files before installing them. No owner or group checks are done
-on a configuration file specified by &%-C%&.
-
-The privileged use of &%-C%& by the Exim user can be locked out by setting
-ALT_CONFIG_ROOT_ONLY in &_Local/Makefile_& when building Exim. However,
-if you do this, you also lock out the possibility of testing a
-configuration using &%-C%& right through message reception and delivery, even
-if the caller is root. The reception works, but by that time, Exim is running
-as the Exim user, so when it re-execs to regain privilege for the delivery, the
-use of &%-C%& causes privilege to be lost. However, root can test reception and
-delivery using two separate commands (one to put a message on the queue, using
-&%-odq%&, and another to do the delivery, using &%-M%&).
+&%-C%& is used, Exim gives up its root privilege, unless called by root (or
+unless the argument for &%-C%& is identical to the built-in value from
+CONFIGURE_FILE) or matches a prefix listed in the TRUSTED_CONFIG_PREFIX_LIST
+file. &%-C%& is useful mainly for checking the syntax of configuration files
+before installing them. No owner or group checks are done on a configuration
+file specified by &%-C%&, if root privilege has been dropped.
+
+Even the Exim user is not trusted to specify an arbitrary configuration file
+with the &%-C%& option to be used with root privileges, unless that file is
+listed in the TRUSTED_CONFIG_PREFIX_LIST file. This locks out the possibility
+of testing a configuration using &%-C%& right through message reception and
+delivery, even if the caller is root. The reception works, but by that time,
+Exim is running as the Exim user, so when it re-execs to regain privilege for
+the delivery, the use of &%-C%& causes privilege to be lost. However, root
+can test reception and delivery using two separate commands (one to put a
+message on the queue, using &%-odq%&, and another to do the delivery, using
+&%-M%&).
If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a
prefix string with which any file named in a &%-C%& command line option must
This condition turns a string holding a true or false representation into
a boolean state. It parses &"true"&, &"false"&, &"yes"& and &"no"&
(case-insensitively); also positive integer numbers map to true if non-zero,
-false if zero. Leading whitespace is ignored.
+false if zero. Leading and trailing whitespace is ignored.
All other string values will result in expansion failure.
When combined with ACL variables, this expansion condition will let you
where &%bool%& accepts a strict set of strings, &%bool_lax%& uses the same
loose definition that the Router &%condition%& option uses. The empty string
and the values &"false"&, &"no"& and &"0"& map to false, all others map to
-true.
+true. Leading and trailing whitespace is ignored.
Note that where &"bool{00}"& is false, &"bool_lax{00}"& is true.
into the Exim account from running a privileged Exim with an arbitrary
configuration file, and using it to break into other accounts.
.next
-If ALT_CONFIG_ROOT_ONLY is defined, root privilege is retained for &%-C%&
-and &%-D%& only if the caller of Exim is root. Without it, the Exim user may
-also use &%-C%& and &%-D%& and retain privilege. Setting this option locks out
-the possibility of testing a configuration using &%-C%& right through message
-reception and delivery, even if the caller is root. The reception works, but by
-that time, Exim is running as the Exim user, so when it re-execs to regain
-privilege for the delivery, the use of &%-C%& causes privilege to be lost.
-However, root can test reception and delivery using two separate commands.
-ALT_CONFIG_ROOT_ONLY is not set by default.
+If a non-trusted configuration file (i.e. the default configuration file or
+one which is trusted by virtue of matching a prefix listed in the
+TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are
+given with &%-D%&, then root privilege is retained only if the caller of Exim
+is root. This locks out the possibility of testing a configuration using &%-C%&
+right through message reception and delivery, even if the caller is root. The
+reception works, but by that time, Exim is running as the Exim user, so when
+it re-execs to regain privilege for the delivery, the use of &%-C%& causes
+privilege to be lost. However, root can test reception and delivery using two
+separate commands.
.next
If DISABLE_D_OPTION is defined, the use of the &%-D%& command line option
is disabled.
.oindex "&%-D%&"
If the &%-C%& option is used to specify an alternate configuration file, or if
the &%-D%& option is used to define macro values for the configuration, and the
-calling process is not running as root or the Exim user, the uid and gid are
-changed to those of the calling process.
-However, if ALT_CONFIG_ROOT_ONLY is defined in &_Local/Makefile_&, only
-root callers may use &%-C%& and &%-D%& without losing privilege, and if
-DISABLE_D_OPTION is set, the &%-D%& option may not be used at all.
+calling process is not running as root, the uid and gid are changed to those of
+ the calling process.
+However, if DISABLE_D_OPTION is defined in &_Local/Makefile_&, the &%-D%&
+option may not be used at all.
.next
.oindex "&%-be%&"
.oindex "&%-bf%&"
git://git.exim.org / users / heiko / exim.git / blobdiff