From: David Woodhouse Date: Thu, 16 Dec 2010 22:29:53 +0000 (+0000) Subject: Turn TRUSTED_CONFIG_PREFIX_LIST into TRUSTED_CONFIG_LIST. No prefix or regexes X-Git-Tag: exim-4_73_RC00~2 X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/90b6341f7282beed1175e942a113c30c212425c9 Turn TRUSTED_CONFIG_PREFIX_LIST into TRUSTED_CONFIG_LIST. No prefix or regexes --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index c9b77b88c..22815a9d1 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3334,13 +3334,13 @@ proceeding any further along the list, and an error is generated. When this option is used by a caller other than root, and the list is different from the compiled-in list, Exim gives up its root privilege immediately, and runs with the real and effective uid and gid set to those of the caller. -However, if a TRUSTED_CONFIG_PREFIX_LIST file is defined in &_Local/Makefile_&, -root privilege is retained for any configuration file which matches a prefix -listed in that file as long as the caller is the Exim user (or the user -specified in the CONFIGURE_OWNER option, if any). +However, if a TRUSTED_CONFIG_LIST file is defined in &_Local/Makefile_&, root +privilege is retained for any configuration file which is listed in that file +as long as the caller is the Exim user (or the user specified in the +CONFIGURE_OWNER option, if any). -Leaving TRUSTED_CONFIG_PREFIX_LIST unset precludes the possibility of testing -a configuration using &%-C%& right through message reception and delivery, +Leaving TRUSTED_CONFIG_LIST unset precludes the possibility of testing a +configuration using &%-C%& right through message reception and delivery, even if the caller is root. The reception works, but by that time, Exim is running as the Exim user, so when it re-executes to regain privilege for the delivery, the use of &%-C%& causes privilege to be lost. However, root can @@ -4537,17 +4537,16 @@ A one-off alternate configuration can be specified by the &%-C%& command line option, which may specify a single file or a list of files. However, when &%-C%& is used, Exim gives up its root privilege, unless called by root (or unless the argument for &%-C%& is identical to the built-in value from -CONFIGURE_FILE), or matches a prefix listed in the TRUSTED_CONFIG_PREFIX_LIST -file and the caller is the Exim user or the user specified in the -CONFIGURE_OWNER setting. &%-C%& is useful mainly for checking the syntax of -configuration files before installing them. No owner or group checks are done -on a configuration file specified by &%-C%&, if root privilege has been -dropped. +CONFIGURE_FILE), or is listed in the TRUSTED_CONFIG_LIST file and the caller +is the Exim user or the user specified in the CONFIGURE_OWNER setting. &%-C%& +is useful mainly for checking the syntax of configuration files before +installing them. No owner or group checks are done on a configuration file +specified by &%-C%&, if root privilege has been dropped. Even the Exim user is not trusted to specify an arbitrary configuration file with the &%-C%& option to be used with root privileges, unless that file is -listed in the TRUSTED_CONFIG_PREFIX_LIST file. This locks out the possibility -of testing a configuration using &%-C%& right through message reception and +listed in the TRUSTED_CONFIG_LIST file. This locks out the possibility of +testing a configuration using &%-C%& right through message reception and delivery, even if the caller is root. The reception works, but by that time, Exim is running as the Exim user, so when it re-execs to regain privilege for the delivery, the use of &%-C%& causes privilege to be lost. However, root @@ -33824,15 +33823,15 @@ into the Exim account from running a privileged Exim with an arbitrary configuration file, and using it to break into other accounts. .next If a non-trusted configuration file (i.e. not the default configuration file -or one which is trusted by virtue of matching a prefix listed in the -TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are -given with &%-D%& (but see the next item), then root privilege is retained only -if the caller of Exim is root. This locks out the possibility of testing a -configuration using &%-C%& right through message reception and delivery, even -if the caller is root. The reception works, but by that time, Exim is running -as the Exim user, so when it re-execs to regain privilege for the delivery, the -use of &%-C%& causes privilege to be lost. However, root can test reception and -delivery using two separate commands. +or one which is trusted by virtue of being listed in the TRUSTED_CONFIG_LIST +file) is specified with &%-C%&, or if macros are given with &%-D%& (but see +the next item), then root privilege is retained only if the caller of Exim is +root. This locks out the possibility of testing a configuration using &%-C%& +right through message reception and delivery, even if the caller is root. The +reception works, but by that time, Exim is running as the Exim user, so when +it re-execs to regain privilege for the delivery, the use of &%-C%& causes +privilege to be lost. However, root can test reception and delivery using two +separate commands. .next The WHITELIST_D_MACROS build option declares some macros to be safe to override with &%-D%& if the real uid is one of root, the Exim run-time user or the diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index f405cda5f..07501bb6c 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -106,6 +106,8 @@ DW/30 Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not for other users. Others should always drop root privileges if they use -C on the command line, even for a whitelisted configure file. +DW/31 Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes. + Exim version 4.72 ----------------- diff --git a/doc/doc-txt/IncompatibleChanges b/doc/doc-txt/IncompatibleChanges index 8f07d784f..50bf186f2 100644 --- a/doc/doc-txt/IncompatibleChanges +++ b/doc/doc-txt/IncompatibleChanges @@ -39,9 +39,9 @@ Exim version 4.73 on; the Exim user can, by default, no longer use -C/-D and retain privilege. Two new build options mitigate this. - * TRUSTED_CONFIG_PREFIX_LIST defines a path prefix within which files - owned by root can be used by the Exim user; this is the recommended - approach going forward. + * TRUSTED_CONFIG_LIST defines a file containing a whitelist of config + files that are trusted to be selected by the Exim user; this is the + recommended approach going forward. * WHITELIST_D_MACROS defines a colon-separated list of macro names which the Exim run-time user may safely pass without dropping privileges. diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index b9d88ff82..a732d9b2d 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -102,19 +102,19 @@ Version 4.73 12. [POSSIBLE CONFIG BREAKAGE] ALT_CONFIG_ROOT_ONLY is no longer optional and is forced on. This is mitigated by the new build option - TRUSTED_CONFIG_PREFIX_LIST which defines a list of pathname prefices which - are trusted; if a config file is owned by root and is under that prefix, - then it may be used by the Exim run-time user. + TRUSTED_CONFIG_LIST which defines a list of configuration files which + are trusted; if a config file is owned by root and matches a pathname in + the list, then it may be invoked by the Exim build-time user without Exim + relinquishing root privileges. 13. [POSSIBLE CONFIG BREAKAGE] The Exim user is no longer automatically trusted to supply -D overrides on the command-line. Going - forward, we recommend using TRUSTED_CONFIG_PREFIX_LIST with shim configs - that include the main config. As a transition mechanism, we are - temporarily providing a work-around: the new build option - WHITELIST_D_MACROS provides a colon-separated list of macro names which - may be overriden by the Exim run-time user. The values of these macros - are constrained to the regex ^[A-Za-z0-9_/.-]*$ (which explicitly does - allow for empty values). + forward, we recommend using TRUSTED_CONFIG_LIST with shim configs that + include the main config. As a transition mechanism, we are temporarily + providing a work-around: the new build option WHITELIST_D_MACROS provides + a colon-separated list of macro names which may be overriden by the Exim + run-time user. The values of these macros are constrained to the regex + ^[A-Za-z0-9_/.-]*$ (which explicitly does allow for empty values). Version 4.72 diff --git a/src/src/EDITME b/src/src/EDITME index ade6a7cf0..1bb60be21 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -476,14 +476,13 @@ FIXED_NEVER_USERS=root # When a user other than root uses the -C option to override the configuration # file (including the Exim user when re-executing Exim to regain root # privileges for local message delivery), this will normally cause Exim to -# drop root privileges. The TRUSTED_CONFIG_PREFIX_LIST option, specifies -# a file which contains a list of trusted configuration prefixes (like the -# ALT_CONFIG_PREFIX above), one per line. If the -C option is used by the Exim -# user or by the user specified in the CONFIGURE_OWNER setting, to specify a -# configuration file which matches a trusted prefix, root privileges are not -# dropped by Exim. - -# TRUSTED_CONFIG_PREFIX_LIST=/usr/exim/trusted_configs +# drop root privileges. The TRUSTED_CONFIG_LIST option, specifies a file which +# contains a list of trusted configuration filenames, one per line. If the -C +# option is used by the Exim user or by the user specified in the +# CONFIGURE_OWNER setting, to specify a configuration file which is listed in +# the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. + +# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs #------------------------------------------------------------------------------ diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index b4e2c6d9c..5cff6ad5f 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -13,7 +13,7 @@ in config.h unless some value is defined in Local/Makefile. If there is data, it's a default value. */ #define ALT_CONFIG_PREFIX -#define TRUSTED_CONFIG_PREFIX_LIST +#define TRUSTED_CONFIG_LIST #define APPENDFILE_MODE 0600 #define APPENDFILE_DIRECTORY_MODE 0700 diff --git a/src/src/exim.c b/src/src/exim.c index d50672151..dce42f0c4 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -1971,17 +1971,17 @@ for (i = 1; i < argc; i++) #endif if (real_uid != root_uid) { - #ifdef TRUSTED_CONFIG_PREFIX_LIST + #ifdef TRUSTED_CONFIG_LIST - if ((real_uid != exim_uid - #ifdef CONFIGURE_OWNER - && real_uid != config_uid - #endif - ) || Ustrstr(argrest, "/../")) + if (real_uid != exim_uid + #ifdef CONFIGURE_OWNER + && real_uid != config_uid + #endif + ) trusted_config = FALSE; else { - FILE *trust_list = Ufopen(TRUSTED_CONFIG_PREFIX_LIST, "rb"); + FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb"); if (trust_list) { struct stat statbuf; @@ -2007,8 +2007,8 @@ for (i = 1; i < argc; i++) { /* Well, the trust list at least is up to scratch... */ void *reset_point = store_get(0); - uschar *trusted_prefixes[32]; - int nr_prefixes = 0; + uschar *trusted_configs[32]; + int nr_configs = 0; int i = 0; while (Ufgets(big_buffer, big_buffer_size, trust_list)) @@ -2021,13 +2021,13 @@ for (i = 1; i < argc; i++) nl = Ustrchr(start, '\n'); if (nl) *nl = 0; - trusted_prefixes[nr_prefixes++] = string_copy(start); - if (nr_prefixes == 32) + trusted_configs[nr_configs++] = string_copy(start); + if (nr_configs == 32) break; } fclose(trust_list); - if (nr_prefixes) + if (nr_configs) { int sep = 0; uschar *list = argrest; @@ -2035,14 +2035,12 @@ for (i = 1; i < argc; i++) while (trusted_config && (filename = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)) != NULL) { - for (i=0; i < nr_prefixes; i++) + for (i=0; i < nr_configs; i++) { - int len = Ustrlen(trusted_prefixes[i]); - if (Ustrlen(filename) >= len && - Ustrncmp(filename, trusted_prefixes[i], len) == 0) + if (Ustrcmp(filename, trusted_configs[i]) == 0) break; } - if (i == nr_prefixes) + if (i == nr_configs) { trusted_config = FALSE; break; @@ -3487,7 +3485,7 @@ if (removed_privilege && (!trusted_config || macros != NULL) && else log_write(0, LOG_MAIN|LOG_PANIC, "exim user lost privilege for using %s option", - (int)exim_uid, trusted_config? "-D" : "-C"); + trusted_config? "-D" : "-C"); } /* Start up Perl interpreter if Perl support is configured and there is a