Re: exim-using packages - are you relying on -C or -D options?
Den 14. des. 2010 12:21, skrev Peter Samuelson:
If you do that please log an error when failing. Scratched my head a few
times over such security-measures. I know, "my bad" but still ...
Currently exim will accept -C to any file in any location. This
makes it trivial for an attacker to escalate from exim to root by
making any expansion in the config file run code as a privileged
user. The current alternative is to make exim refuse to execute if
the config file is not in a build-time configured directory.
...Or just fstat() the file after you open it, to make sure it's owned
by root:root, and !(mode& 002) ? I mean, is there a legitimate case
where this wouldn't be true?
Håkon Alstadheim / N-7510 Skatval / email:firstname.lastname@example.org
tlf: 74 82 60 27 mob: 47 35 39 38
spamtrap: email@example.com -- 1 hit& you are out