summaryrefslogtreecommitdiff
path: root/doc/doc-docbook
diff options
context:
space:
mode:
authorDavid Woodhouse <David.Woodhouse@intel.com>2010-12-11 13:44:55 +0000
committerDavid Woodhouse <David.Woodhouse@intel.com>2010-12-11 21:12:40 +0000
commitc1d94452b1b7f3620ee3cc9aa197ad98821de79f (patch)
tree5152e5ff0bb43108d3c7030913ecc8c51852a085 /doc/doc-docbook
parent7f36d675a458b3cf823c977e2cc4b47a6e6c8d4a (diff)
Don't allow a configure file which is writeable by the Exim user or group
(Bug 1044, CVE-2010-4345)
Diffstat (limited to 'doc/doc-docbook')
-rw-r--r--doc/doc-docbook/spec.xfpt16
1 files changed, 10 insertions, 6 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 1ec418101..049b2b6b0 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -4501,17 +4501,21 @@ existing file in the list.
.cindex "configuration file" "ownership"
.cindex "ownership" "configuration file"
The run time configuration file must be owned by root or by the user that is
-specified at compile time by the EXIM_USER option, or by the user that is
specified at compile time by the CONFIGURE_OWNER option (if set). The
-configuration file must not be world-writeable or group-writeable, unless its
-group is the one specified at compile time by the EXIM_GROUP option or by the
+configuration file must not be world-writeable, or group-writeable unless its
+group is the root group or the one specified at compile time by the
CONFIGURE_GROUP option.
&*Warning*&: In a conventional configuration, where the Exim binary is setuid
to root, anybody who is able to edit the run time configuration file has an
-easy way to run commands as root. If you make your mail administrators members
-of the Exim group, but do not trust them with root, make sure that the run time
-configuration is not group writeable.
+easy way to run commands as root. If you specify a user or group in the
+CONFIGURE_OWNER or CONFIGURE_GROUP options, then that user and/or any users
+who are members of that group will trivially be able to obtain root privileges.
+
+Up to Exim version 4.72, the run time configuration file was also permitted to
+be writeable by the Exim user and/or group. That has been changed in Exim 4.73
+since it offered a simple privilege escalation for any attacker who managed to
+compromise the Exim user account.
A default configuration file, which will work correctly in simple situations,
is provided in the file &_src/configure.default_&. If CONFIGURE_FILE