Turn TRUSTED_CONFIG_PREFIX_LIST into TRUSTED_CONFIG_LIST. No prefix or regexes

4 files changed, 37 insertions, 36 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index c9b77b88c..22815a9d1 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3334,13 +3334,13 @@ proceeding any further along the list, and an error is generated.
 When this option is used by a caller other than root, and the list is different
 from the compiled-in list, Exim gives up its root privilege immediately, and
 runs with the real and effective uid and gid set to those of the caller.
-However, if a TRUSTED_CONFIG_PREFIX_LIST file is defined in &_Local/Makefile_&,
-root privilege is retained for any configuration file which matches a prefix
-listed in that file as long as the caller is the Exim user (or the user
-specified in the CONFIGURE_OWNER option, if any).
+However, if a TRUSTED_CONFIG_LIST file is defined in &_Local/Makefile_&, root
+privilege is retained for any configuration file which is listed in that file
+as long as the caller is the Exim user (or the user specified in the
+CONFIGURE_OWNER option, if any).
 
-Leaving TRUSTED_CONFIG_PREFIX_LIST unset precludes the possibility of testing
-a configuration using &%-C%& right through message reception and delivery,
+Leaving TRUSTED_CONFIG_LIST unset precludes the possibility of testing a
+configuration using &%-C%& right through message reception and delivery,
 even if the caller is root. The reception works, but by that time, Exim is
 running as the Exim user, so when it re-executes to regain privilege for the
 delivery, the use of &%-C%& causes privilege to be lost. However, root can
@@ -4537,17 +4537,16 @@ A one-off alternate configuration can be specified by the &%-C%& command line
 option, which may specify a single file or a list of files. However, when
 &%-C%& is used, Exim gives up its root privilege, unless called by root (or
 unless the argument for &%-C%& is identical to the built-in value from
-CONFIGURE_FILE), or matches a prefix listed in the TRUSTED_CONFIG_PREFIX_LIST
-file and the caller is the Exim user or the user specified in the
-CONFIGURE_OWNER setting. &%-C%& is useful mainly for checking the syntax of
-configuration files before installing them. No owner or group checks are done
-on a configuration file specified by &%-C%&, if root privilege has been
-dropped.
+CONFIGURE_FILE), or is listed in the TRUSTED_CONFIG_LIST file and the caller
+is the Exim user or the user specified in the CONFIGURE_OWNER setting. &%-C%&
+is useful mainly for checking the syntax of configuration files before
+installing them. No owner or group checks are done on a configuration file
+specified by &%-C%&, if root privilege has been dropped.
 
 Even the Exim user is not trusted to specify an arbitrary configuration file
 with the &%-C%& option to be used with root privileges, unless that file is
-listed in the TRUSTED_CONFIG_PREFIX_LIST file. This locks out the possibility
-of testing a configuration using &%-C%& right through message reception and
+listed in the TRUSTED_CONFIG_LIST file. This locks out the possibility of
+testing a configuration using &%-C%& right through message reception and
 delivery, even if the caller is root. The reception works, but by that time,
 Exim is running as the Exim user, so when it re-execs to regain privilege for
 the delivery, the use of &%-C%& causes privilege to be lost. However, root
@@ -33824,15 +33823,15 @@ into the Exim account from running a privileged Exim with an arbitrary
 configuration file, and using it to break into other accounts.
 .next
 If a non-trusted configuration file (i.e. not the default configuration file
-or one which is trusted by virtue of matching a prefix listed in the
-TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are
-given with &%-D%& (but see the next item), then root privilege is retained only
-if the caller of Exim is root. This locks out the possibility of testing a
-configuration using &%-C%& right through message reception and delivery, even
-if the caller is root. The reception works, but by that time, Exim is running
-as the Exim user, so when it re-execs to regain privilege for the delivery, the
-use of &%-C%& causes privilege to be lost. However, root can test reception and
-delivery using two separate commands.
+or one which is trusted by virtue of being listed in the TRUSTED_CONFIG_LIST
+file) is specified with &%-C%&, or if macros are given with &%-D%& (but see
+the next item), then root privilege is retained only if the caller of Exim is
+root. This locks out the possibility of testing a configuration using &%-C%&
+right through message reception and delivery, even if the caller is root. The
+reception works, but by that time, Exim is running as the Exim user, so when
+it re-execs to regain privilege for the delivery, the use of &%-C%& causes
+privilege to be lost. However, root can test reception and delivery using two
+separate commands.
 .next
 The WHITELIST_D_MACROS build option declares some macros to be safe to override
 with &%-D%& if the real uid is one of root, the Exim run-time user or the
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f405cda5f..07501bb6c 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -106,6 +106,8 @@ DW/30 Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not
       for other users. Others should always drop root privileges if they use
       -C on the command line, even for a whitelisted configure file.
 
+DW/31 Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes.
+
 
 Exim version 4.72
 -----------------
diff --git a/doc/doc-txt/IncompatibleChanges b/doc/doc-txt/IncompatibleChanges
index 8f07d784f..50bf186f2 100644
--- a/doc/doc-txt/IncompatibleChanges
+++ b/doc/doc-txt/IncompatibleChanges
@@ -39,9 +39,9 @@ Exim version 4.73
    on; the Exim user can, by default, no longer use -C/-D and retain privilege.
    Two new build options mitigate this.
 
-    * TRUSTED_CONFIG_PREFIX_LIST defines a path prefix within which files
-      owned by root can be used by the Exim user; this is the recommended
-      approach going forward.
+    * TRUSTED_CONFIG_LIST defines a file containing a whitelist of config
+      files that are trusted to be selected by the Exim user; this is the
+      recommended approach going forward.
 
     * WHITELIST_D_MACROS defines a colon-separated list of macro names which
       the Exim run-time user may safely pass without dropping privileges.
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index b9d88ff82..a732d9b2d 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -102,19 +102,19 @@ Version 4.73
 
 12. [POSSIBLE CONFIG BREAKAGE] ALT_CONFIG_ROOT_ONLY is no longer optional and
     is forced on.  This is mitigated by the new build option
-    TRUSTED_CONFIG_PREFIX_LIST which defines a list of pathname prefices which
-    are trusted; if a config file is owned by root and is under that prefix,
-    then it may be used by the Exim run-time user.
+    TRUSTED_CONFIG_LIST which defines a list of configuration files which
+    are trusted; if a config file is owned by root and matches a pathname in
+    the list, then it may be invoked by the Exim build-time user without Exim
+    relinquishing root privileges.
 
 13. [POSSIBLE CONFIG BREAKAGE] The Exim user is no longer automatically
     trusted to supply -D<Macro[=Value]> overrides on the command-line.  Going
-    forward, we recommend using TRUSTED_CONFIG_PREFIX_LIST with shim configs
-    that include the main config.  As a transition mechanism, we are
-    temporarily providing a work-around: the new build option
-    WHITELIST_D_MACROS provides a colon-separated list of macro names which
-    may be overriden by the Exim run-time user.  The values of these macros
-    are constrained to the regex ^[A-Za-z0-9_/.-]*$ (which explicitly does
-    allow for empty values).
+    forward, we recommend using TRUSTED_CONFIG_LIST with shim configs that
+    include the main config.  As a transition mechanism, we are temporarily
+    providing a work-around: the new build option WHITELIST_D_MACROS provides
+    a colon-separated list of macro names which may be overriden by the Exim
+    run-time user.  The values of these macros are constrained to the regex
+    ^[A-Za-z0-9_/.-]*$ (which explicitly does allow for empty values).
 
 
 Version 4.72