Re: exim-using packages - are you relying on -C or -D options?
[Stephen Gran]
> Currently exim will accept -C to any file in any location. This
> makes it trivial for an attacker to escalate from exim to root by
> making any expansion in the config file run code as a privileged
> user. The current alternative is to make exim refuse to execute if
> the config file is not in a build-time configured directory.
...Or just fstat() the file after you open it, to make sure it's owned
by root:root, and !(mode & 002) ? I mean, is there a legitimate case
where this wouldn't be true?
--
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
Reply to: