[Stephen Gran]
Currently exim will accept -C to any file in any location. This
makes it trivial for an attacker to escalate from exim to root by
making any expansion in the config file run code as a privileged
user. The current alternative is to make exim refuse to execute if
the config file is not in a build-time configured directory.
...Or just fstat() the file after you open it, to make sure it's owned
by root:root, and !(mode& 002) ? I mean, is there a legitimate case
where this wouldn't be true?