diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 51 | ||||
| -rw-r--r-- | doc/doc-src/FAQ.src | 34 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 3 |
3 files changed, 46 insertions, 42 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 578485ddd..bbc3949c6 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3334,14 +3334,17 @@ proceeding any further along the list, and an error is generated. When this option is used by a caller other than root, and the list is different from the compiled-in list, Exim gives up its root privilege immediately, and runs with the real and effective uid and gid set to those of the caller. - -This behaviour precludes the possibility of testing a configuration using -&%-C%& right through message reception and delivery, even if the caller is -root. The reception works, but by that time, Exim is running as the Exim user, -so when it re-executes to regain privilege for the delivery, the use of &%-C%& -causes privilege to be lost. However, root can test reception and delivery -using two separate commands (one to put a message on the queue, using &%-odq%&, -and another to do the delivery, using &%-M%&). +However, if a TRUSTED_CONFIG_PREFIX_LIST file is defined in &_Local/Makefile_&, +root privilege is retained for any configuration file which matches a prefix +listed in that file. + +Leaving TRUSTED_CONFIG_PREFIX_LIST unset precludes the possibility of testing +a configuration using &%-C%& right through message reception and delivery, +even if the caller is root. The reception works, but by that time, Exim is +running as the Exim user, so when it re-executes to regain privilege for the +delivery, the use of &%-C%& causes privilege to be lost. However, root can +test reception and delivery using two separate commands (one to put a message +on the queue, using &%-odq%&, and another to do the delivery, using &%-M%&). If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a prefix string with which any file named in a &%-C%& command line option @@ -4525,19 +4528,21 @@ A one-off alternate configuration can be specified by the &%-C%& command line option, which may specify a single file or a list of files. However, when &%-C%& is used, Exim gives up its root privilege, unless called by root (or unless the argument for &%-C%& is identical to the built-in value from -CONFIGURE_FILE). &%-C%& is useful mainly for checking the syntax of -configuration files before installing them. No owner or group checks are done -on a configuration file specified by &%-C%&. - -The Exim user is not trusted to specify an arbitrary configuration file with -the &%-C%& option to be executed with root privileges. This locks out the -possibility of testing a configuration using &%-C%& right through message -reception and delivery, even if the caller is root. The reception works, but -by that time, Exim is running as the Exim user, so when it re-execs to regain -privilege for the delivery, the use of &%-C%& causes privilege to be lost. -However, root can test reception and delivery using two separate commands -(one to put a message on the queue, using &%-odq%&, and another to do the -delivery, using &%-M%&). +CONFIGURE_FILE) or matches a prefix listed in the TRUSTED_CONFIG_PREFIX_LIST +file. &%-C%& is useful mainly for checking the syntax of configuration files +before installing them. No owner or group checks are done on a configuration +file specified by &%-C%&, if root privilege has been dropped. + +Even the Exim user is not trusted to specify an arbitrary configuration file +with the &%-C%& option to be used with root privileges, unless that file is +listed in the TRUSTED_CONFIG_PREFIX_LIST file. This locks out the possibility +of testing a configuration using &%-C%& right through message reception and +delivery, even if the caller is root. The reception works, but by that time, +Exim is running as the Exim user, so when it re-execs to regain privilege for +the delivery, the use of &%-C%& causes privilege to be lost. However, root +can test reception and delivery using two separate commands (one to put a +message on the queue, using &%-odq%&, and another to do the delivery, using +&%-M%&). If ALT_CONFIG_PREFIX is defined &_in Local/Makefile_&, it specifies a prefix string with which any file named in a &%-C%& command line option must @@ -33797,7 +33802,9 @@ which only root has access, this guards against someone who has broken into the Exim account from running a privileged Exim with an arbitrary configuration file, and using it to break into other accounts. .next -If a non-default configuration file is specified with &%-C%&, or macros are +If a non-trusted configuration file (i.e. the default configuration file or +one which is trusted by virtue of matching a prefix listed in the +TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are given with &%-D%&, then root privilege is retained only if the caller of Exim is root. This locks out the possibility of testing a configuration using &%-C%& right through message reception and delivery, even if the caller is root. The diff --git a/doc/doc-src/FAQ.src b/doc/doc-src/FAQ.src index b53070e07..461b1a608 100644 --- a/doc/doc-src/FAQ.src +++ b/doc/doc-src/FAQ.src @@ -851,7 +851,9 @@ A0044: Exim has been unable to create a file in its spool area in which to If you are running Exim with an alternate configuration file using a command such as \"exim -C altconfig..."\, remember that the use of -C - takes away Exim's root privilege. + takes away Exim's root privilege, unless \\TRUSTED_CONFIG_PREFIX_FILE\\ + is set in \(Local/Makefile)\ and the corresponding file contains a + prefix which matches the alternative configuration file being used. Check that you have defined the spool directory correctly by running @@ -1147,25 +1149,17 @@ Q0065: When (as \/root/\) I use -C to run Exim with an alternate configuration trying to run an \%autoreply%\ transport. Why is this? A0065: When Exim is called with -C, it passes on -C to any instances of itself - that it calls (so that the whole sequence uses the same config file). If - it's running as \/exim/\ when it does this, all is well. However, if it - happens as a consequence of a non-privileged user running \%autoreply%\, - the called Exim gives up its root privilege. Then it can't write to the - spool. - - This means that you can't use -C (even as \/root/\) to run an instance of - Exim that is going to try to run \%autoreply%\ from a process that is - neither \/root/\ nor \/exim/\. Because of the architecture of Exim (using - re-execs to regain privilege), there isn't any way round this - restriction. Therefore, the only way you can make this scenario work is - to run the \%autoreply%\ transport as \/exim/\ (that is, the user that - owns the Exim spool files). This may be satisfactory for autoreplies - that are essentially system-generated, but of course is no good for - autoreplies from unprivileged users, where you want the \%autoreply%\ - transport to be run as the user. To get that to work with an alternate - configuration, you'll have to use two Exim binaries, with different - configuration file names in each. See S001 for a script that patches - the configuration name in an Exim binary. + that it calls (so that the whole sequence uses the same config file). + However, Exim gives up its root privilege if any user except \/root\/ + passes a -C option to use a non-default configuration file, and that + includes the case where Exim re-execs itself to regain root privilege. + Thus it can't write to the spool. + + The fix for this is to use the \\TRUSTED_CONFIG_PREFIX_LIST\\ build-time + option. This defines a file containing a list of 'trusted' prefixes for + configuration files. Any configuration file specified with -C, if it + matches a prefix listed in that file, will be used without dropping root + privileges (as long as it is not writeable by a non-root user). Q0066: What does the message \*unable to set gid=xxx or uid=xxx*\ mean? diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index afc854e44..cf307014b 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -86,6 +86,9 @@ DW/23 Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability DW/24 Bugzilla 1044: CVE-2010-4345 - part three: remove ALT_CONFIG_ROOT_ONLY option (effectively making it always true). +DW/25 Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration + files to be used while preserving root privileges. + Exim version 4.72 ----------------- |