diff options
author | David Woodhouse <David.Woodhouse@intel.com> | 2010-12-11 13:44:55 +0000 |
---|---|---|
committer | David Woodhouse <David.Woodhouse@intel.com> | 2010-12-11 21:12:40 +0000 |
commit | c1d94452b1b7f3620ee3cc9aa197ad98821de79f (patch) | |
tree | 5152e5ff0bb43108d3c7030913ecc8c51852a085 /doc/doc-docbook | |
parent | 7f36d675a458b3cf823c977e2cc4b47a6e6c8d4a (diff) |
Don't allow a configure file which is writeable by the Exim user or group
(Bug 1044, CVE-2010-4345)
Diffstat (limited to 'doc/doc-docbook')
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 1ec418101..049b2b6b0 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -4501,17 +4501,21 @@ existing file in the list. .cindex "configuration file" "ownership" .cindex "ownership" "configuration file" The run time configuration file must be owned by root or by the user that is -specified at compile time by the EXIM_USER option, or by the user that is specified at compile time by the CONFIGURE_OWNER option (if set). The -configuration file must not be world-writeable or group-writeable, unless its -group is the one specified at compile time by the EXIM_GROUP option or by the +configuration file must not be world-writeable, or group-writeable unless its +group is the root group or the one specified at compile time by the CONFIGURE_GROUP option. &*Warning*&: In a conventional configuration, where the Exim binary is setuid to root, anybody who is able to edit the run time configuration file has an -easy way to run commands as root. If you make your mail administrators members -of the Exim group, but do not trust them with root, make sure that the run time -configuration is not group writeable. +easy way to run commands as root. If you specify a user or group in the +CONFIGURE_OWNER or CONFIGURE_GROUP options, then that user and/or any users +who are members of that group will trivially be able to obtain root privileges. + +Up to Exim version 4.72, the run time configuration file was also permitted to +be writeable by the Exim user and/or group. That has been changed in Exim 4.73 +since it offered a simple privilege escalation for any attacker who managed to +compromise the Exim user account. A default configuration file, which will work correctly in simple situations, is provided in the file &_src/configure.default_&. If CONFIGURE_FILE |