Re: exim-using packages - are you relying on -C or -D options?
Peter Samuelson writes ("Re: exim-using packages - are you relying on -C or -D options?"):
> [Stephen Gran]
> > Currently exim will accept -C to any file in any location. This
> > makes it trivial for an attacker to escalate from exim to root by
> > making any expansion in the config file run code as a privileged
> > user. The current alternative is to make exim refuse to execute if
> > the config file is not in a build-time configured directory.
> ...Or just fstat() the file after you open it, to make sure it's owned
> by root:root, and !(mode & 002) ? I mean, is there a legitimate case
> where this wouldn't be true?
Whenever anyone suggests something like this you can be pretty sure
they're doing it wrong. This is no exception.
Ownership of a file does not imply endorsement of its contents. If
you wanted to endorse the contents of a file you would have to put it
in a special location, or perhaps set a set-id bit.