diff options
author | David Woodhouse <David.Woodhouse@intel.com> | 2010-12-16 22:29:53 +0000 |
---|---|---|
committer | David Woodhouse <David.Woodhouse@intel.com> | 2010-12-16 22:29:53 +0000 |
commit | 90b6341f7282beed1175e942a113c30c212425c9 (patch) | |
tree | 849596497e1b71491c85e8f9c28088211c637170 /doc | |
parent | 8f29c95072dea6fbd8476afa3c990de62b40fafd (diff) |
Turn TRUSTED_CONFIG_PREFIX_LIST into TRUSTED_CONFIG_LIST. No prefix or regexes
Diffstat (limited to 'doc')
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 45 | ||||
-rw-r--r-- | doc/doc-txt/ChangeLog | 2 | ||||
-rw-r--r-- | doc/doc-txt/IncompatibleChanges | 6 | ||||
-rw-r--r-- | doc/doc-txt/NewStuff | 20 |
4 files changed, 37 insertions, 36 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index c9b77b88c..22815a9d1 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3334,13 +3334,13 @@ proceeding any further along the list, and an error is generated. When this option is used by a caller other than root, and the list is different from the compiled-in list, Exim gives up its root privilege immediately, and runs with the real and effective uid and gid set to those of the caller. -However, if a TRUSTED_CONFIG_PREFIX_LIST file is defined in &_Local/Makefile_&, -root privilege is retained for any configuration file which matches a prefix -listed in that file as long as the caller is the Exim user (or the user -specified in the CONFIGURE_OWNER option, if any). +However, if a TRUSTED_CONFIG_LIST file is defined in &_Local/Makefile_&, root +privilege is retained for any configuration file which is listed in that file +as long as the caller is the Exim user (or the user specified in the +CONFIGURE_OWNER option, if any). -Leaving TRUSTED_CONFIG_PREFIX_LIST unset precludes the possibility of testing -a configuration using &%-C%& right through message reception and delivery, +Leaving TRUSTED_CONFIG_LIST unset precludes the possibility of testing a +configuration using &%-C%& right through message reception and delivery, even if the caller is root. The reception works, but by that time, Exim is running as the Exim user, so when it re-executes to regain privilege for the delivery, the use of &%-C%& causes privilege to be lost. However, root can @@ -4537,17 +4537,16 @@ A one-off alternate configuration can be specified by the &%-C%& command line option, which may specify a single file or a list of files. However, when &%-C%& is used, Exim gives up its root privilege, unless called by root (or unless the argument for &%-C%& is identical to the built-in value from -CONFIGURE_FILE), or matches a prefix listed in the TRUSTED_CONFIG_PREFIX_LIST -file and the caller is the Exim user or the user specified in the -CONFIGURE_OWNER setting. &%-C%& is useful mainly for checking the syntax of -configuration files before installing them. No owner or group checks are done -on a configuration file specified by &%-C%&, if root privilege has been -dropped. +CONFIGURE_FILE), or is listed in the TRUSTED_CONFIG_LIST file and the caller +is the Exim user or the user specified in the CONFIGURE_OWNER setting. &%-C%& +is useful mainly for checking the syntax of configuration files before +installing them. No owner or group checks are done on a configuration file +specified by &%-C%&, if root privilege has been dropped. Even the Exim user is not trusted to specify an arbitrary configuration file with the &%-C%& option to be used with root privileges, unless that file is -listed in the TRUSTED_CONFIG_PREFIX_LIST file. This locks out the possibility -of testing a configuration using &%-C%& right through message reception and +listed in the TRUSTED_CONFIG_LIST file. This locks out the possibility of +testing a configuration using &%-C%& right through message reception and delivery, even if the caller is root. The reception works, but by that time, Exim is running as the Exim user, so when it re-execs to regain privilege for the delivery, the use of &%-C%& causes privilege to be lost. However, root @@ -33824,15 +33823,15 @@ into the Exim account from running a privileged Exim with an arbitrary configuration file, and using it to break into other accounts. .next If a non-trusted configuration file (i.e. not the default configuration file -or one which is trusted by virtue of matching a prefix listed in the -TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are -given with &%-D%& (but see the next item), then root privilege is retained only -if the caller of Exim is root. This locks out the possibility of testing a -configuration using &%-C%& right through message reception and delivery, even -if the caller is root. The reception works, but by that time, Exim is running -as the Exim user, so when it re-execs to regain privilege for the delivery, the -use of &%-C%& causes privilege to be lost. However, root can test reception and -delivery using two separate commands. +or one which is trusted by virtue of being listed in the TRUSTED_CONFIG_LIST +file) is specified with &%-C%&, or if macros are given with &%-D%& (but see +the next item), then root privilege is retained only if the caller of Exim is +root. This locks out the possibility of testing a configuration using &%-C%& +right through message reception and delivery, even if the caller is root. The +reception works, but by that time, Exim is running as the Exim user, so when +it re-execs to regain privilege for the delivery, the use of &%-C%& causes +privilege to be lost. However, root can test reception and delivery using two +separate commands. .next The WHITELIST_D_MACROS build option declares some macros to be safe to override with &%-D%& if the real uid is one of root, the Exim run-time user or the diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index f405cda5f..07501bb6c 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -106,6 +106,8 @@ DW/30 Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not for other users. Others should always drop root privileges if they use -C on the command line, even for a whitelisted configure file. +DW/31 Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes. + Exim version 4.72 ----------------- diff --git a/doc/doc-txt/IncompatibleChanges b/doc/doc-txt/IncompatibleChanges index 8f07d784f..50bf186f2 100644 --- a/doc/doc-txt/IncompatibleChanges +++ b/doc/doc-txt/IncompatibleChanges @@ -39,9 +39,9 @@ Exim version 4.73 on; the Exim user can, by default, no longer use -C/-D and retain privilege. Two new build options mitigate this. - * TRUSTED_CONFIG_PREFIX_LIST defines a path prefix within which files - owned by root can be used by the Exim user; this is the recommended - approach going forward. + * TRUSTED_CONFIG_LIST defines a file containing a whitelist of config + files that are trusted to be selected by the Exim user; this is the + recommended approach going forward. * WHITELIST_D_MACROS defines a colon-separated list of macro names which the Exim run-time user may safely pass without dropping privileges. diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index b9d88ff82..a732d9b2d 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -102,19 +102,19 @@ Version 4.73 12. [POSSIBLE CONFIG BREAKAGE] ALT_CONFIG_ROOT_ONLY is no longer optional and is forced on. This is mitigated by the new build option - TRUSTED_CONFIG_PREFIX_LIST which defines a list of pathname prefices which - are trusted; if a config file is owned by root and is under that prefix, - then it may be used by the Exim run-time user. + TRUSTED_CONFIG_LIST which defines a list of configuration files which + are trusted; if a config file is owned by root and matches a pathname in + the list, then it may be invoked by the Exim build-time user without Exim + relinquishing root privileges. 13. [POSSIBLE CONFIG BREAKAGE] The Exim user is no longer automatically trusted to supply -D<Macro[=Value]> overrides on the command-line. Going - forward, we recommend using TRUSTED_CONFIG_PREFIX_LIST with shim configs - that include the main config. As a transition mechanism, we are - temporarily providing a work-around: the new build option - WHITELIST_D_MACROS provides a colon-separated list of macro names which - may be overriden by the Exim run-time user. The values of these macros - are constrained to the regex ^[A-Za-z0-9_/.-]*$ (which explicitly does - allow for empty values). + forward, we recommend using TRUSTED_CONFIG_LIST with shim configs that + include the main config. As a transition mechanism, we are temporarily + providing a work-around: the new build option WHITELIST_D_MACROS provides + a colon-separated list of macro names which may be overriden by the Exim + run-time user. The values of these macros are constrained to the regex + ^[A-Za-z0-9_/.-]*$ (which explicitly does allow for empty values). Version 4.72 |