Re: exim-using packages - are you relying on -C or -D options?
Stephen Gran writes ("Re: exim-using packages - are you relying on -C or -D options?"):
> This one time, at band camp, Ian Jackson said:
> > Are you saying the current exim4 package in lenny-security already has
> > the disability you are discussing ?
>
> AIUI, no, not yet. Currently exim will accept -C to any file in any
> location. This makes it trivial for an attacker to escalate from exim
> to root by making any expansion in the config file run code as a
> privileged user.
Ah, yes, I see.
> The current alternative is to make exim refuse to
> execute if the config file is not in a build-time configured directory.
> This is what is being proposed, and if all your other config files are in
> the same place, it sounds like this won't cause a problem for you.
Right, I think it will be OK for me.
Will it follow symlinks ? If so then the problem isn't that sever.
> The patch I'm talking about allows execution outside of the configured
> directory, but without escalated privileges. This would be more
> flexible for users testing things, but it doesn't sound like it's
> relevant at the moment for your needs.
Indeed.
Thanks,
Ian.
Reply to: