diff options
| author | David Woodhouse <David.Woodhouse@intel.com> | 2010-12-11 13:44:55 +0000 |
|---|---|---|
| committer | David Woodhouse <David.Woodhouse@intel.com> | 2010-12-11 21:12:40 +0000 |
| commit | c1d94452b1b7f3620ee3cc9aa197ad98821de79f (patch) | |
| tree | 5152e5ff0bb43108d3c7030913ecc8c51852a085 /doc | |
| parent | 7f36d675a458b3cf823c977e2cc4b47a6e6c8d4a (diff) | |
Don't allow a configure file which is writeable by the Exim user or group
(Bug 1044, CVE-2010-4345)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 16 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 4 |
2 files changed, 14 insertions, 6 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 1ec418101..049b2b6b0 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -4501,17 +4501,21 @@ existing file in the list. .cindex "configuration file" "ownership" .cindex "ownership" "configuration file" The run time configuration file must be owned by root or by the user that is -specified at compile time by the EXIM_USER option, or by the user that is specified at compile time by the CONFIGURE_OWNER option (if set). The -configuration file must not be world-writeable or group-writeable, unless its -group is the one specified at compile time by the EXIM_GROUP option or by the +configuration file must not be world-writeable, or group-writeable unless its +group is the root group or the one specified at compile time by the CONFIGURE_GROUP option. &*Warning*&: In a conventional configuration, where the Exim binary is setuid to root, anybody who is able to edit the run time configuration file has an -easy way to run commands as root. If you make your mail administrators members -of the Exim group, but do not trust them with root, make sure that the run time -configuration is not group writeable. +easy way to run commands as root. If you specify a user or group in the +CONFIGURE_OWNER or CONFIGURE_GROUP options, then that user and/or any users +who are members of that group will trivially be able to obtain root privileges. + +Up to Exim version 4.72, the run time configuration file was also permitted to +be writeable by the Exim user and/or group. That has been changed in Exim 4.73 +since it offered a simple privilege escalation for any attacker who managed to +compromise the Exim user account. A default configuration file, which will work correctly in simple situations, is provided in the file &_src/configure.default_&. If CONFIGURE_FILE diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index ccc5d79ad..99a6f176b 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -74,6 +74,10 @@ PP/20 Added a CONTRIBUTING file. Fixed the documentation build to use http: DW/21 Added Valgrind hooks in store.c to help it capture out-of-bounds store access. +DW/22 Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour + of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a + configuration file which is writeable by the Exim user or group. + Exim version 4.72 ----------------- |