summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/doc-txt/Exim4.upgrade18
-rw-r--r--src/src/deliver.c6
2 files changed, 14 insertions, 10 deletions
diff --git a/doc/doc-txt/Exim4.upgrade b/doc/doc-txt/Exim4.upgrade
index 528d94d9c..86d4a4dda 100644
--- a/doc/doc-txt/Exim4.upgrade
+++ b/doc/doc-txt/Exim4.upgrade
@@ -468,11 +468,12 @@ Generic Router Options
. The way that require_files works has been changed. Each item in the list is
now separately expanded as the test proceeds. The use of leading ! and +
characters is unchanged. However, user and group checking is done differently.
- Previously, seteuid() was used, but seteuid() is no longer used in Exim (see
- "Security" below). Instead, Exim now scans along the components of the file
- path and checks the access for the given uid and gid. It expects "x" access
- on directories and "r" on the final file. This means that file access control
- lists (on those operating systems that have them) are ignored.
+ Previously, seteuid() was used, but seteuid() is no longer used (see
+ "Security" below) for checking the files required by this option. Instead,
+ Exim now scans along the components of the file path and checks the access
+ for the given uid and gid. It expects "x" access on directories and "r" on
+ the final file. This means that file access control lists (on those
+ operating systems that have them) are ignored.
Other Consequences of the Director/Router Merge
@@ -1380,8 +1381,11 @@ Security
--------
Exim 3 could be run in a variety of ways as far as security was concerned. This
-has all been simplified in Exim 4. The security-conscious might like to know
-that it no longer makes any use of the seteuid() function.
+has all been simplified in Exim 4. Exim dropped the use of seteuid() in
+most places. But recent (2020-10/2021-04) vulnerabilities forced us to
+re-introduce seteuid() for opening the database files (hint files) as secure as
+possible. For future (>= 4.95) versions we work on a solution that
+does not need the seteuid call.
. A UID and GID are required to be specified when Exim is compiled. They can be
now specified by name as well as by number, so the relevant options are now
diff --git a/src/src/deliver.c b/src/src/deliver.c
index cf8ab09eb..4e472ebe6 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -2097,9 +2097,9 @@ return FALSE;
/* Each local delivery is performed in a separate process which sets its
uid and gid as specified. This is a safer way than simply changing and
-restoring using seteuid(); there is a body of opinion that seteuid() cannot be
-used safely. From release 4, Exim no longer makes any use of it. Besides, not
-all systems have seteuid().
+restoring using seteuid(); there is a body of opinion that seteuid()
+cannot be used safely. From release 4, Exim no longer makes any use of
+it for delivery. Besides, not all systems have seteuid().
If the uid/gid are specified in the transport_instance, they are used; the
transport initialization must ensure that either both or neither are set.