diff options
| author | Phil Pennock <pdp@exim.org> | 2010-06-06 02:46:13 +0000 |
|---|---|---|
| committer | Phil Pennock <pdp@exim.org> | 2010-06-06 02:46:13 +0000 |
| commit | 10385c155b0e1266c02535b76ab73b32fa83d73f (patch) | |
| tree | fab6bd2a0597a506c61b6ae6159488ce043592ff /src | |
| parent | 4b2241d2228351057f63f954de46b0449288e3ba (diff) | |
No longer permit the exim user to be root. Fixes: #752
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/EDITME | 5 | ||||
| -rw-r--r-- | src/src/buildconfig.c | 16 | ||||
| -rw-r--r-- | src/src/exim.c | 8 |
3 files changed, 24 insertions, 5 deletions
diff --git a/src/src/EDITME b/src/src/EDITME index 85922f8aa..7f7f6b3a4 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -1,4 +1,4 @@ -# $Cambridge: exim/src/src/EDITME,v 1.25 2010/06/05 11:13:29 pdp Exp $ +# $Cambridge: exim/src/src/EDITME,v 1.26 2010/06/06 02:46:13 pdp Exp $ ################################################## # The Exim mail transport agent # @@ -131,8 +131,7 @@ CONFIGURE_FILE=/usr/exim/configure # group that is used for Exim processes when they no longer need to be root. In # particular, this applies when receiving messages and when doing remote # deliveries. (Local deliveries run as various non-root users, typically as the -# owner of a local mailbox.) Specifying these values as root is very strongly -# discouraged. +# owner of a local mailbox.) Specifying these values as root is not supported. EXIM_USER= diff --git a/src/src/buildconfig.c b/src/src/buildconfig.c index 51fe02618..36561a968 100644 --- a/src/src/buildconfig.c +++ b/src/src/buildconfig.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/buildconfig.c,v 1.15 2009/11/16 19:50:36 nm4 Exp $ */ +/* $Cambridge: exim/src/src/buildconfig.c,v 1.16 2010/06/06 02:46:13 pdp Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -356,6 +356,7 @@ while (fgets(buffer, sizeof(buffer), base) != NULL) uid_t uid = 0; gid_t gid = 0; int gid_set = 0; + int uid_not_set = 0; char *username = NULL; char *groupname = NULL; char *s; @@ -410,6 +411,7 @@ while (fgets(buffer, sizeof(buffer), base) != NULL) while (isspace(*user)) user++; username = user; gid_set = 1; + uid_not_set = 1; } else @@ -503,6 +505,18 @@ while (fgets(buffer, sizeof(buffer), base) != NULL) return 1; } + /* security sanity checks + if ref: is being used, we can never be sure, but we can take reasonable + steps to filter out the most obvious ones. */ + + if ((!uid_not_set && uid == 0) || + (strcmp(username, "root") == 0) || + (strcmp(username, "toor") == 0) ) + { + printf("\n*** Exim's internal user must not be root.\n\n"); + return 1; + } + /* Output user and group names or uid/gid. When names are set, uid/gid are set to zero but will be replaced at runtime. */ diff --git a/src/src/exim.c b/src/src/exim.c index 36f7a1b3d..a68a06227 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/exim.c,v 1.68 2010/06/06 02:08:50 pdp Exp $ */ +/* $Cambridge: exim/src/src/exim.c,v 1.69 2010/06/06 02:46:13 pdp Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -1234,6 +1234,12 @@ This is a feature to make the lives of binary distributors easier. */ #ifdef EXIM_USERNAME if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid)) { + if (exim_uid == 0) + { + fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n", + EXIM_USERNAME); + exit(EXIT_FAILURE); + } exim_gid = pw->pw_gid; } else |