summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2017-05-09 16:00:58 -0400
committerPhil Pennock <pdp@exim.org>2017-05-09 16:00:58 -0400
commitf33875c3a0a0ef03a2e53cfcd339791b793151f0 (patch)
tree109391b7ca17bfab48708c1c09ccc4b9502df204
parentce889807c90746896f1310e9f4957215f46f7836 (diff)
Add option commandline_checks_require_admin
May help with scenarios already so broken that bug report 2118 is actually an issue (Wordpress vuln).
-rw-r--r--doc/doc-docbook/spec.xfpt52
-rw-r--r--doc/doc-txt/ChangeLog8
-rw-r--r--doc/doc-txt/NewStuff3
-rw-r--r--doc/doc-txt/OptionLists.txt1
-rw-r--r--src/src/exim.c8
-rw-r--r--src/src/globals.c1
-rw-r--r--src/src/globals.h1
-rw-r--r--src/src/readconf.c1
8 files changed, 73 insertions, 2 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5b735907e..f33b193eb 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13599,6 +13599,7 @@ listed in more than one group.
.section "Privilege controls" "SECID98"
.table2
.row &%admin_groups%& "groups that are Exim admin users"
+.row &%commandline_checks_require_admin%& "require admin for various checks"
.row &%deliver_drop_privilege%& "drop root for delivery processes"
.row &%local_from_check%& "insert &'Sender:'& if necessary"
.row &%local_from_prefix%& "for testing &'From:'& for local sender"
@@ -14461,6 +14462,14 @@ The CHUNKING extension (RFC3030) will be advertised in the EHLO message to
these hosts.
Hosts may use the BDAT command as an alternate to DATA.
+.new
+.option commandline_checks_require_admin main boolean &`false`&
+.cindex "restricting access to features"
+This option restricts various basic checking features to require an
+administrative user.
+This affects most of the &%-b*%& options, such as &%-be%&.
+.wen
+
.option debug_store main boolean &`false`&
.cindex debugging "memory corruption"
.cindex memory debugging
@@ -15942,12 +15951,13 @@ different spool directories.
.option prod_requires_admin main boolean true
+.cindex "restricting access to features"
.oindex "&%-M%&"
.oindex "&%-R%&"
.oindex "&%-q%&"
The &%-M%&, &%-R%&, and &%-q%& command-line options require the caller to be an
admin user unless &%prod_requires_admin%& is set false. See also
-&%queue_list_requires_admin%&.
+&%queue_list_requires_admin%& and &%commandline_checks_require_admin%&.
.option qualify_domain main string "see below"
@@ -15986,10 +15996,12 @@ next queue run. See also &%hold_domains%& and &%queue_smtp_domains%&.
.option queue_list_requires_admin main boolean true
+.cindex "restricting access to features"
.oindex "&%-bp%&"
The &%-bp%& command-line option, which lists the messages that are on the
queue, requires the caller to be an admin user unless
-&%queue_list_requires_admin%& is set false. See also &%prod_requires_admin%&.
+&%queue_list_requires_admin%& is set false.
+See also &%prod_requires_admin%& and &%commandline_checks_require_admin%&.
.option queue_only main boolean false
@@ -20333,11 +20345,15 @@ relative path is then passed to the transport unmodified.
.option forbid_blackhole redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, the &':blackhole:'& item may not appear in a
redirection list.
.option forbid_exim_filter redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is set true, only Sieve filters are permitted when
&%allow_filter%& is true.
@@ -20345,7 +20361,9 @@ If this option is set true, only Sieve filters are permitted when
.option forbid_file redirect boolean false
+.cindex "restricting access to features"
.cindex "delivery" "to file; forbidding"
+.cindex "filter" "locking out certain features"
.cindex "Sieve filter" "forbidding delivery to a file"
.cindex "Sieve filter" "&""keep""& facility; disabling"
If this option is true, this router may not generate a new address that
@@ -20356,17 +20374,22 @@ locks out the Sieve's &"keep"& facility.
.option forbid_filter_dlfunc redirect boolean false
+.cindex "restricting access to features"
.cindex "filter" "locking out certain features"
If this option is true, string expansions in Exim filters are not allowed to
make use of the &%dlfunc%& expansion facility to run dynamically loaded
functions.
.option forbid_filter_existstest redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
.cindex "expansion" "statting a file"
If this option is true, string expansions in Exim filters are not allowed to
make use of the &%exists%& condition or the &%stat%& expansion item.
.option forbid_filter_logwrite redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, use of the logging facility in Exim filters is not
permitted. Logging is in any case available only if the filter is being run
under some unprivileged uid (which is normally the case for ordinary users'
@@ -20374,27 +20397,37 @@ under some unprivileged uid (which is normally the case for ordinary users'
.option forbid_filter_lookup redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, string expansions in Exim filter files are not allowed
to make use of &%lookup%& items.
.option forbid_filter_perl redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
This option has an effect only if Exim is built with embedded Perl support. If
it is true, string expansions in Exim filter files are not allowed to make use
of the embedded Perl support.
.option forbid_filter_readfile redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, string expansions in Exim filter files are not allowed
to make use of &%readfile%& items.
.option forbid_filter_readsocket redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, string expansions in Exim filter files are not allowed
to make use of &%readsocket%& items.
.option forbid_filter_reply redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, this router may not generate an automatic reply
message. Automatic replies can be generated only from Exim or Sieve filter
files, not from traditional forward files. This option is forced to be true if
@@ -20402,11 +20435,15 @@ files, not from traditional forward files. This option is forced to be true if
.option forbid_filter_run redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, string expansions in Exim filter files are not allowed
to make use of &%run%& items.
.option forbid_include redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is true, items of the form
.code
:include:<path name>
@@ -20415,6 +20452,8 @@ are not permitted in non-filter redirection lists.
.option forbid_pipe redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
.cindex "delivery" "to pipe; forbidding"
If this option is true, this router may not generate a new address which
specifies delivery to a pipe, either from an Exim filter or from a conventional
@@ -20422,6 +20461,8 @@ forward file. This option is forced to be true if &%one_time%& is set.
.option forbid_sieve_filter redirect boolean false
+.cindex "restricting access to features"
+.cindex "filter" "locking out certain features"
If this option is set true, only Exim filters are permitted when
&%allow_filter%& is true.
@@ -37957,6 +37998,13 @@ the contents of files on the spool via the Exim monitor (which runs
unprivileged), Exim must be built to allow group read access to its spool
files.
+.new
+By default, regular users are trusted to perform basic testing and
+introspection commands, as themselves. This setting can be tightened by
+setting the &%commandline_checks_require_admin%& option.
+This affects most of the checking options,
+such as &%-be%& and anything else &%-b*%&.
+.wen
.section "Spool files" "SECID275"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2078b3521..4bc5235ec 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -78,6 +78,14 @@ JH/12 Fix check on SMTP command input synchronisation. Previously there were
or prompt from Exim (running as a server), due to that code's lack of
awareness of the SMTP input buferring.
+PP/04 Add commandline_checks_require_admin option.
+ Exim drops privileges sanely, various checks such as -be aren't a
+ security problem, as long as you trust local users with access to their
+ own account. When invoked by services which pass untrusted data to
+ Exim, this might be an issue. Set this option in main configuration
+ AND make fixes to the calling application, such as using `--` to stop
+ processing options.
+
Exim version 4.89
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index cb2346f69..5fd7fbb29 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -35,6 +35,9 @@ Version 4.90
received using the ESMTP CHUNKING option, and when a new main-section
option "spool_wireformat" (false by default) is set.
+ 8. New main configuration option "commandline_checks_require_admin" to
+ restrict who can use various introspection options.
+
Version 4.89
------------
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 95d321e5c..5728643a8 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -137,6 +137,7 @@ command string* unset lmtp
command_group string unset queryprogram 4.00
command_timeout time 5m smtp
command_user string unset queryprogram 4.00
+commandline_checks_require_admin boolean false main 4.90
condition string* unset routers 4.00
connect_timeout time 0s smtp 1.60
connection_max_messages integer 500 smtp 4.00 replaces batch_max
diff --git a/src/src/exim.c b/src/src/exim.c
index dcc84e3d5..67583e584 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -3868,6 +3868,14 @@ else
trusted_caller = TRUE;
}
+/* At this point, we know if the user is privileged and some command-line
+options become possibly imperssible, depending upon the configuration file. */
+
+if (checking && commandline_checks_require_admin && !admin_user) {
+ fprintf(stderr, "exim: those command-line flags are set to require admin\n");
+ exit(EXIT_FAILURE);
+}
+
/* Handle the decoding of logging options. */
decode_bits(log_selector, log_selector_size, log_notall,
diff --git a/src/src/globals.c b/src/src/globals.c
index 46db4f373..9b455c9db 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -511,6 +511,7 @@ uschar *client_authenticated_id = NULL;
uschar *client_authenticated_sender = NULL;
int clmacro_count = 0;
uschar *clmacros[MAX_CLMACROS];
+BOOL commandline_checks_require_admin = FALSE;
BOOL config_changed = FALSE;
FILE *config_file = NULL;
const uschar *config_filename = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 63c9c29c7..056f1c213 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -282,6 +282,7 @@ extern uschar *client_authenticated_id; /* "login" name used for SMTP AUTH *
extern uschar *client_authenticated_sender; /* AUTH option to SMTP MAIL FROM (not yet used) */
extern int clmacro_count; /* Number of command line macros */
extern uschar *clmacros[]; /* Copy of them, for re-exec */
+extern BOOL commandline_checks_require_admin; /* belt and braces for insecure setups */
extern int connection_max_messages;/* Max down one SMTP connection */
extern BOOL config_changed; /* True if -C used */
extern FILE *config_file; /* Configuration file */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index f43a3d163..95abaf5be 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -217,6 +217,7 @@ static optionlist optionlist_config[] = {
{ "check_spool_inodes", opt_int, &check_spool_inodes },
{ "check_spool_space", opt_Kint, &check_spool_space },
{ "chunking_advertise_hosts", opt_stringptr, &chunking_advertise_hosts },
+ { "commandline_checks_require_admin", opt_bool,&commandline_checks_require_admin },
{ "daemon_smtp_port", opt_stringptr|opt_hidden, &daemon_smtp_port },
{ "daemon_smtp_ports", opt_stringptr, &daemon_smtp_port },
{ "daemon_startup_retries", opt_int, &daemon_startup_retries },