From 5336c0d9bbf5de9a948c168de692a092e557d8b6 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Sun, 5 May 2013 21:32:09 -0400 Subject: [PATCH] Security considerations: running local commands Call out the dangers of use_shell in the security considerations chapter. Call out a number of related dangers too. --- doc/doc-docbook/spec.xfpt | 44 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 018c88ff4..b024f7227 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -35625,6 +35625,50 @@ are given in chapter &<>&. +.section "Running local commands" "SECTsecconslocalcmds" +There are a number of ways in which an administrator can configure Exim to run +commands based upon received, untrustworthy, data. Further, in some +configurations a user who can control a &_.forward_& file can also arrange to +run commands. Configuration to check includes, but is not limited to: + +.ilist +Use of &%use_shell%& in the pipe transport: various forms of shell command +injection may be possible with this option present. It is dangerous and should +be used only with considerable caution. Consider constraints which whitelist +allowed characters in a variable which is to be used in a pipe transport that +has &%use_shell%& enabled. +.next +A number of options such as &%forbid_filter_run%&, &%forbid_filter_perl%&, +&%forbid_filter_dlfunc%& and so forth which restrict facilities available to +&_.forward_ files in a redirect router. If Exim is running on a central mail +hub to which ordinary users do not have shell access, but home directories are +NFS mounted (for instance) then administrators should review the list of these +forbid options available, and should bear in mind that the options that may +need forbidding can change as new features are added between releases. +.next +The &%${run...}%& expansion item does not use a shell by default, but +administrators can configure use of &_/bin/sh_& as part of the command. +Such invocations should be viewed with prejudicial suspicion. +.next +Administrators who use embedded Perl are advised to explore how Perl's +taint checking might apply to their usage. +.next +Use of &%${expand...}%& is somewhat analagous to shell's eval builtin and +administrators are well advised to view its use with suspicion, in case (for +instance) it allows a local-part to contain embedded Exim directives. +.next +Use of &%${match_local_part...}%& and friends becomes more dangerous if +Exim was built with EXPAND_LISTMATCH_RHS defined: the second string in +each can reference arbitrary lists and files, rather than just being a list +of opaque strings. +The EXPAND_LISTMATCH_RHS option was added and set false by default because of +real-world security vulnerabilities caused by its use with untrustworthy data +injected in, for SQL injection attacks. +Consider the use of the &%inlisti%& expansion condition instead. +.endlist + + + .section "IPv4 source routing" "SECID272" .cindex "source routing" "in IP packets" .cindex "IP source routing" -- 2.30.2