Add TRUSTED_CONFIG_PREFIX_FILE option

(Bug 1044, CVE-2010-4345)

3 files changed, 46 insertions, 42 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 578485ddd..bbc3949c6 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3334,14 +3334,17 @@ proceeding any further along the list, and an error is generated.
 When this option is used by a caller other than root, and the list is different
 from the compiled-in list, Exim gives up its root privilege immediately, and
 runs with the real and effective uid and gid set to those of the caller.
-
-This behaviour precludes the possibility of testing a configuration using
-&%-C%& right through message reception and delivery, even if the caller is
-root. The reception works, but by that time, Exim is running as the Exim user,
-so when it re-executes to regain privilege for the delivery, the use of &%-C%&
-causes privilege to be lost. However, root can test reception and delivery
-using two separate commands (one to put a message on the queue, using &%-odq%&,
-and another to do the delivery, using &%-M%&).
+However, if a TRUSTED_CONFIG_PREFIX_LIST file is defined in &_Local/Makefile_&,
+root privilege is retained for any configuration file which matches a prefix
+listed in that file.
+
+Leaving TRUSTED_CONFIG_PREFIX_LIST unset precludes the possibility of testing
+a configuration using &%-C%& right through message reception and delivery,
+even if the caller is root. The reception works, but by that time, Exim is
+running as the Exim user, so when it re-executes to regain privilege for the
+delivery, the use of &%-C%& causes privilege to be lost. However, root can
+test reception and delivery using two separate commands (one to put a message
+on the queue, using &%-odq%&, and another to do the delivery, using &%-M%&).
 
 If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a
 prefix string with which any file named in a &%-C%& command line option
@@ -4525,19 +4528,21 @@ A one-off alternate configuration can be specified by the &%-C%& command line
 option, which may specify a single file or a list of files. However, when
 &%-C%& is used, Exim gives up its root privilege, unless called by root (or
 unless the argument for &%-C%& is identical to the built-in value from
-CONFIGURE_FILE). &%-C%& is useful mainly for checking the syntax of
-configuration files before installing them. No owner or group checks are done
-on a configuration file specified by &%-C%&.
-
-The Exim user is not trusted to specify an arbitrary configuration file with
-the &%-C%& option to be executed with root privileges. This locks out the
-possibility of testing a configuration using &%-C%& right through message
-reception and delivery, even if the caller is root. The reception works, but
-by that time, Exim is running as the Exim user, so when it re-execs to regain
-privilege for the delivery, the use of &%-C%& causes privilege to be lost.
-However, root can test reception and delivery using two separate commands
-(one to put a message on the queue, using &%-odq%&, and another to do the
-delivery, using &%-M%&).
+CONFIGURE_FILE) or matches a prefix listed in the TRUSTED_CONFIG_PREFIX_LIST
+file. &%-C%& is useful mainly for checking the syntax of configuration files
+before installing them. No owner or group checks are done on a configuration
+file specified by &%-C%&, if root privilege has been dropped.
+
+Even the Exim user is not trusted to specify an arbitrary configuration file
+with the &%-C%& option to be used with root privileges, unless that file is
+listed in the TRUSTED_CONFIG_PREFIX_LIST file. This locks out the possibility
+of testing a configuration using &%-C%& right through message reception and
+delivery, even if the caller is root. The reception works, but by that time,
+Exim is running as the Exim user, so when it re-execs to regain privilege for
+the delivery, the use of &%-C%& causes privilege to be lost. However, root
+can test reception and delivery using two separate commands (one to put a
+message on the queue, using &%-odq%&, and another to do the delivery, using
+&%-M%&).
 
 If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a
 prefix string with which any file named in a &%-C%& command line option must
@@ -33797,7 +33802,9 @@ which only root has access, this guards against someone who has broken
 into the Exim account from running a privileged Exim with an arbitrary
 configuration file, and using it to break into other accounts.
 .next
-If a non-default configuration file is specified with &%-C%&, or macros are
+If a non-trusted configuration file (i.e. the default configuration file or
+one which is trusted by virtue of matching a prefix listed in the
+TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are
 given with &%-D%&, then root privilege is retained only if the caller of Exim
 is root. This locks out the possibility of testing a configuration using &%-C%&
 right through message reception and delivery, even if the caller is root. The
diff --git a/doc/doc-src/FAQ.src b/doc/doc-src/FAQ.src
index b53070e07..461b1a608 100644
--- a/doc/doc-src/FAQ.src
+++ b/doc/doc-src/FAQ.src
@@ -851,7 +851,9 @@ A0044: Exim has been unable to create a file in its spool area in which to
 
        If you are running Exim with an alternate configuration file using a
        command such as \"exim -C altconfig..."\, remember that the use of -C
-       takes away Exim's root privilege.
+       takes away Exim's root privilege, unless \\TRUSTED_CONFIG_PREFIX_FILE\\
+       is set in \(Local/Makefile)\ and the corresponding file contains a
+       prefix which matches the alternative configuration file being used.
 
        Check that you have defined the spool directory correctly by running
 
@@ -1147,25 +1149,17 @@ Q0065: When (as \/root/\) I use -C to run Exim with an alternate configuration
        trying to run an \%autoreply%\ transport. Why is this?
 
 A0065: When Exim is called with -C, it passes on -C to any instances of itself
-       that it calls (so that the whole sequence uses the same config file). If
-       it's running as \/exim/\ when it does this, all is well. However, if it
-       happens as a consequence of a non-privileged user running \%autoreply%\,
-       the called Exim gives up its root privilege. Then it can't write to the
-       spool.
-
-       This means that you can't use -C (even as \/root/\) to run an instance of
-       Exim that is going to try to run \%autoreply%\ from a process that is
-       neither \/root/\ nor \/exim/\. Because of the architecture of Exim (using
-       re-execs to regain privilege), there isn't any way round this
-       restriction. Therefore, the only way you can make this scenario work is
-       to run the \%autoreply%\ transport as \/exim/\ (that is, the user that
-       owns the Exim spool files). This may be satisfactory for autoreplies
-       that are essentially system-generated, but of course is no good for
-       autoreplies from unprivileged users, where you want the \%autoreply%\
-       transport to be run as the user. To get that to work with an alternate
-       configuration, you'll have to use two Exim binaries, with different
-       configuration file names in each. See S001 for a script that patches
-       the configuration name in an Exim binary.
+       that it calls (so that the whole sequence uses the same config file).
+       However, Exim gives up its root privilege if any user except \/root\/
+       passes a -C option to use a non-default configuration file, and that
+       includes the case where Exim re-execs itself to regain root privilege.
+       Thus it can't write to the spool.
+
+       The fix for this is to use the \\TRUSTED_CONFIG_PREFIX_LIST\\ build-time
+       option. This defines a file containing a list of 'trusted' prefixes for
+       configuration files. Any configuration file specified with -C, if it
+       matches a prefix listed in that file, will be used without dropping root
+       privileges (as long as it is not writeable by a non-root user).
 
 
 Q0066: What does the message \*unable to set gid=xxx or uid=xxx*\ mean?
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index afc854e44..cf307014b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -86,6 +86,9 @@ DW/23 Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability
 DW/24 Bugzilla 1044: CVE-2010-4345 - part three: remove ALT_CONFIG_ROOT_ONLY
       option (effectively making it always true).
 
+DW/25 Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration
+      files to be used while preserving root privileges.
+
 
 Exim version 4.72
 -----------------