This one time, at band camp, Ian Jackson said:
> Stephen Gran writes ("Re: exim-using packages - are you relying on -C or -D options?"):
> > This one time, at band camp, Ian Jackson said:
> > > sauce uses the -C option. And chiark's mail system relies on -C very
> > > heavily in other ways. Please don't break it.
> >
> > Can it limit itsef to a choice of two non world-writable directories?
>
> The other config files are in /etc/exim4 just like the main one, if
> that's what you mean.
>
> > That is the only current way to keep a successful break-in to the exim
> > account from escalating to root. There is a patch on exim-dev to allow
> > this to work without escalated privileges, but it's not in the lenny
> > exim.
>
> Are you saying the current exim4 package in lenny-security already has
> the disability you are discussing ?
AIUI, no, not yet. Currently exim will accept -C to any file in any
location. This makes it trivial for an attacker to escalate from exim
to root by making any expansion in the config file run code as a
privileged user. The current alternative is to make exim refuse to
execute if the config file is not in a build-time configured directory.
This is what is being proposed, and if all your other config files are in
the same place, it sounds like this won't cause a problem for you.
The patch I'm talking about allows execution outside of the configured
directory, but without escalated privileges. This would be more
flexible for users testing things, but it doesn't sound like it's
relevant at the moment for your needs.
Cheers,
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature