Allow only Exim or CONFIGURE_OWNER to use whitelisted configs with -C

We only added TRUSTED_CONFIG_PREFIX_FILE to compensate for the enforcing
of ALT_CONFIG_ROOT_ONLY. Let's not open it up any further than we need to;
other users don't get to make use of it.

2 files changed, 8 insertions, 3 deletions

diff --git a/src/src/EDITME b/src/src/EDITME
index d093eb690..ade6a7cf0 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -478,8 +478,9 @@ FIXED_NEVER_USERS=root
 # privileges for local message delivery), this will normally cause Exim to
 # drop root privileges. The TRUSTED_CONFIG_PREFIX_LIST option, specifies
 # a file which contains a list of trusted configuration prefixes (like the
-# ALT_CONFIG_PREFIX above), one per line. If the -C option is used to specify
-# a configuration file which matches a trusted prefix, root privileges are not
+# ALT_CONFIG_PREFIX above), one per line. If the -C option is used by the Exim
+# user or by the user specified in the CONFIGURE_OWNER setting, to specify a
+# configuration file which matches a trusted prefix, root privileges are not
 # dropped by Exim.
 
 # TRUSTED_CONFIG_PREFIX_LIST=/usr/exim/trusted_configs
diff --git a/src/src/exim.c b/src/src/exim.c
index 749868231..d50672151 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -1973,7 +1973,11 @@ for (i = 1; i < argc; i++)
         {
         #ifdef TRUSTED_CONFIG_PREFIX_LIST
 
-	if (Ustrstr(argrest, "/../"))
+        if ((real_uid != exim_uid
+             #ifdef CONFIGURE_OWNER
+             && real_uid != config_uid
+             #endif
+             ) || Ustrstr(argrest, "/../"))
           trusted_config = FALSE;
         else
           {