X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/cd25e41d2d044556e024f0292a17c5ec3cc7987b..1e83d68b72d24d6255d2e78facbe01656515ab4f:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 578485ddd..bbc3949c6 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3334,14 +3334,17 @@ proceeding any further along the list, and an error is generated. When this option is used by a caller other than root, and the list is different from the compiled-in list, Exim gives up its root privilege immediately, and runs with the real and effective uid and gid set to those of the caller. - -This behaviour precludes the possibility of testing a configuration using -&%-C%& right through message reception and delivery, even if the caller is -root. The reception works, but by that time, Exim is running as the Exim user, -so when it re-executes to regain privilege for the delivery, the use of &%-C%& -causes privilege to be lost. However, root can test reception and delivery -using two separate commands (one to put a message on the queue, using &%-odq%&, -and another to do the delivery, using &%-M%&). +However, if a TRUSTED_CONFIG_PREFIX_LIST file is defined in &_Local/Makefile_&, +root privilege is retained for any configuration file which matches a prefix +listed in that file. + +Leaving TRUSTED_CONFIG_PREFIX_LIST unset precludes the possibility of testing +a configuration using &%-C%& right through message reception and delivery, +even if the caller is root. The reception works, but by that time, Exim is +running as the Exim user, so when it re-executes to regain privilege for the +delivery, the use of &%-C%& causes privilege to be lost. However, root can +test reception and delivery using two separate commands (one to put a message +on the queue, using &%-odq%&, and another to do the delivery, using &%-M%&). If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a prefix string with which any file named in a &%-C%& command line option @@ -4525,19 +4528,21 @@ A one-off alternate configuration can be specified by the &%-C%& command line option, which may specify a single file or a list of files. However, when &%-C%& is used, Exim gives up its root privilege, unless called by root (or unless the argument for &%-C%& is identical to the built-in value from -CONFIGURE_FILE). &%-C%& is useful mainly for checking the syntax of -configuration files before installing them. No owner or group checks are done -on a configuration file specified by &%-C%&. - -The Exim user is not trusted to specify an arbitrary configuration file with -the &%-C%& option to be executed with root privileges. This locks out the -possibility of testing a configuration using &%-C%& right through message -reception and delivery, even if the caller is root. The reception works, but -by that time, Exim is running as the Exim user, so when it re-execs to regain -privilege for the delivery, the use of &%-C%& causes privilege to be lost. -However, root can test reception and delivery using two separate commands -(one to put a message on the queue, using &%-odq%&, and another to do the -delivery, using &%-M%&). +CONFIGURE_FILE) or matches a prefix listed in the TRUSTED_CONFIG_PREFIX_LIST +file. &%-C%& is useful mainly for checking the syntax of configuration files +before installing them. No owner or group checks are done on a configuration +file specified by &%-C%&, if root privilege has been dropped. + +Even the Exim user is not trusted to specify an arbitrary configuration file +with the &%-C%& option to be used with root privileges, unless that file is +listed in the TRUSTED_CONFIG_PREFIX_LIST file. This locks out the possibility +of testing a configuration using &%-C%& right through message reception and +delivery, even if the caller is root. The reception works, but by that time, +Exim is running as the Exim user, so when it re-execs to regain privilege for +the delivery, the use of &%-C%& causes privilege to be lost. However, root +can test reception and delivery using two separate commands (one to put a +message on the queue, using &%-odq%&, and another to do the delivery, using +&%-M%&). If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a prefix string with which any file named in a &%-C%& command line option must @@ -33797,7 +33802,9 @@ which only root has access, this guards against someone who has broken into the Exim account from running a privileged Exim with an arbitrary configuration file, and using it to break into other accounts. .next -If a non-default configuration file is specified with &%-C%&, or macros are +If a non-trusted configuration file (i.e. the default configuration file or +one which is trusted by virtue of matching a prefix listed in the +TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are given with &%-D%&, then root privilege is retained only if the caller of Exim is root. This locks out the possibility of testing a configuration using &%-C%& right through message reception and delivery, even if the caller is root. The