[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exim-using packages - are you relying on -C or -D options?

Peter Samuelson writes ("Re: exim-using packages - are you relying on -C or -D options?"):
> [Stephen Gran]
> > Currently exim will accept -C to any file in any location.  This
> > makes it trivial for an attacker to escalate from exim to root by
> > making any expansion in the config file run code as a privileged
> > user.  The current alternative is to make exim refuse to execute if
> > the config file is not in a build-time configured directory.
> ...Or just fstat() the file after you open it, to make sure it's owned
> by root:root, and !(mode & 002) ?  I mean, is there a legitimate case
> where this wouldn't be true?

Whenever anyone suggests something like this you can be pretty sure
they're doing it wrong.  This is no exception.

Ownership of a file does not imply endorsement of its contents.  If
you wanted to endorse the contents of a file you would have to put it
in a special location, or perhaps set a set-id bit.


Reply to: