diff options
| -rw-r--r-- | doc/doc-txt/ChangeLog | 3 | ||||
| -rw-r--r-- | doc/doc-txt/IncompatibleChanges | 45 | ||||
| -rw-r--r-- | doc/doc-txt/NewStuff | 3 | ||||
| -rw-r--r-- | src/src/exim.c | 4 | ||||
| -rw-r--r-- | src/src/globals.c | 2 |
5 files changed, 56 insertions, 1 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 624e0a8c7..fe9c42a6e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -92,6 +92,9 @@ DW/25 Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure that rogue child processes cannot use them. +PP/27 Bugzilla 1047: change the default for system_filter_user to be the Exim + run-time user, instead of root. + Exim version 4.72 ----------------- diff --git a/doc/doc-txt/IncompatibleChanges b/doc/doc-txt/IncompatibleChanges new file mode 100644 index 000000000..b578faa5b --- /dev/null +++ b/doc/doc-txt/IncompatibleChanges @@ -0,0 +1,45 @@ +Preamble +======== + +Normally The Exim Maintainers ensure that a configuration which works +with version N will work with version N+1, within a major version number +(eg, 4). + +Occasionally this will not be the case; usually, those changes will be +at the end of a long notice period where admins have been encouraged to +move away and even then, we are hesitant to fully break things without +strong cause to move away. + +This does not apply to "experimental" features, which can be withdrawn +or changed with little notice, although we still endeavour to limit +that. We may choose to note those changes here too. + +The most likely cause of a backwards-incompatible change is a security +improvement, where the benefits for everyone strongly outweigh the needs +of the few. + + +Changes +======= + +Exim version 4.73 +----------------- + + * The Exim run-time user can no longer be root; this was always + strongly discouraged, but is now prohibited both at build and + run-time. If you need Exim to run routinely as root, you'll need to + patch the source and accept the risk. Here be dragons. + + * Exim will no longer accept a configuration file owned by the Exim + run-time user, unless that account is explicitly the value in + CONFIGURE_OWNER, which we discourage. Exim now checks to ensure that + files are not writable by other accounts. + + * ALT_CONFIG_ROOT_ONLY is no longer optional and is forced on; the Exim + user can no longer use -C/-D and retain privilege. + + * The system_filter_user option now defaults to the Exim run-time user, + rather than root. You can still set it explicitly to root and this + can be done with prior versions too, letting you roll versions + without needing to change this configuration option. + diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 2609d0a1f..cedfc6e25 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -94,6 +94,9 @@ Version 4.73 default value is set at build time using the TCP_WRAPPERS_DAEMON_NAME build option. +11. [POSSIBLE CONFIG BREAKAGE] The default value for system_filter_user is now + the Exim run-time user, instead of root. + Version 4.72 ------------ diff --git a/src/src/exim.c b/src/src/exim.c index 6b82013f8..729114c1c 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -1268,6 +1268,10 @@ if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid)) } #endif +/* We default the system_filter_user to be the Exim run-time user, as a +sane non-root value. */ +system_filter_uid = exim_uid; + #ifdef CONFIGURE_GROUPNAME if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid)) { diff --git a/src/src/globals.c b/src/src/globals.c index f77fbcc63..500691cb0 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -1189,7 +1189,7 @@ uschar *system_filter_reply_transport = NULL; gid_t system_filter_gid = 0; BOOL system_filter_gid_set = FALSE; -uid_t system_filter_uid = 0; +uid_t system_filter_uid = (uid_t)-1; BOOL system_filter_uid_set = FALSE; BOOL system_filtering = FALSE; |