From 66581d1e830f4e68f2b074b8d79a80645c6a72ea Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Wed, 15 Dec 2010 02:43:33 -0500 Subject: [PATCH] Implement -D whitelist invoking user restriction. Document WHITELIST_D_MACROS. --- doc/doc-docbook/spec.xfpt | 34 ++++++++++++++++++++++++++++++++-- doc/doc-txt/ChangeLog | 1 + src/src/exim.c | 15 +++++++++++++++ 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 996b2e5d7..b2c40e48a 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -3374,6 +3374,14 @@ unprivileged caller, it causes Exim to give up its root privilege. If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is completely disabled, and its use causes an immediate error exit. +If WHITELIST_D_MACROS is defined in &_Local/Makefile_& then it should be a +colon-separated list of macros which are considered safe and, if &%-D%& only +supplies macros from this list, and the values are acceptable, then Exim will +not give up root privilege if the caller is root, the Exim run-time user, or +the CONFIGURE_OWNER, if set. This is a transition mechanism and is expected +to be removed in the future. Acceptable values for the macros satisfy the +regexp: &`^[A-Za-z0-9_/.-]*$`& + The entire option (including equals sign if present) must all be within one command line item. &%-D%& can be used to set the value of a macro to the empty string, in which case the equals sign is optional. These two commands are @@ -4557,6 +4565,16 @@ non-privileged user causes Exim to discard its root privilege. If DISABLE_D_OPTION is defined in &_Local/Makefile_&, the use of &%-D%& is completely disabled, and its use causes an immediate error exit. +The WHITELIST_D_MACROS option in &_Local/Makefile_& permits the binary builder +to declare certain macro names trusted, such that root privilege will not +necessarily be discarded. +WHITELIST_D_MACROS defines a colon-separated list of macros which are +considered safe and, if &%-D%& only supplies macros from this list, and the +values are acceptable, then Exim will not give up root privilege if the caller +is root, the Exim run-time user, or the CONFIGURE_OWNER, if set. This is a +transition mechanism and is expected to be removed in the future. Acceptable +values for the macros satisfy the regexp: &`^[A-Za-z0-9_/.-]*$`& + Some sites may wish to use the same Exim binary on different machines that share a file system, but to use different configuration files on each machine. If CONFIGURE_FILE_USE_NODE is defined in &_Local/Makefile_&, Exim first @@ -33805,7 +33823,8 @@ configuration file, and using it to break into other accounts. If a non-trusted configuration file (i.e. the default configuration file or one which is trusted by virtue of matching a prefix listed in the TRUSTED_CONFIG_PREFIX_LIST file) is specified with &%-C%&, or if macros are -given with &%-D%&, then root privilege is retained only if the caller of Exim +given with &%-D%& (but see the next item), +then root privilege is retained only if the caller of Exim is root. This locks out the possibility of testing a configuration using &%-C%& right through message reception and delivery, even if the caller is root. The reception works, but by that time, Exim is running as the Exim user, so when @@ -33813,6 +33832,14 @@ it re-execs to regain privilege for the delivery, the use of &%-C%& causes privilege to be lost. However, root can test reception and delivery using two separate commands. .next +The WHITELIST_D_MACROS build option declares some macros to be safe to override +with &%-D%& if the real uid is one of root, the Exim run-time user or the +CONFIGURE_OWNER, if defined. The potential impact of this option is limited by +requiring the run-time value supplied to &%-D%& to match a regex that errs on +the restrictive side. Requiring build-time selection of safe macros is onerous +but this option is intended solely as a transition mechanism to permit +previously-working configurations to continue to work after release 4.73. +.next If DISABLE_D_OPTION is defined, the use of the &%-D%& command line option is disabled. .next @@ -33868,9 +33895,12 @@ uid and gid in the following cases: If the &%-C%& option is used to specify an alternate configuration file, or if the &%-D%& option is used to define macro values for the configuration, and the calling process is not running as root, the uid and gid are changed to those of - the calling process. +the calling process. However, if DISABLE_D_OPTION is defined in &_Local/Makefile_&, the &%-D%& option may not be used at all. +If WHITELIST_D_MACROS is defined in &_Local/Makefile_&, then some macro values +can be supplied if the calling process is running as root, the Exim run-time +user or CONFIGURE_OWNER, if defined. .next .oindex "&%-be%&" .oindex "&%-bf%&" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 386a15b8f..162d6c5f6 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -99,6 +99,7 @@ PP/28 Add WHITELIST_D_MACROS option to let some macros be overriden by the Exim run-time user without dropping privileges. + Exim version 4.72 ----------------- diff --git a/src/src/exim.c b/src/src/exim.c index f50a62b94..749868231 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -1159,6 +1159,21 @@ if (macros == NULL) return FALSE; #else +/* We only trust -D overrides for some invoking users: +root, the exim run-time user, the optional config owner user. +I don't know why config-owner would be needed, but since they can own the +config files anyway, there's no security risk to letting them override -D. */ +if ( ! ((real_uid == root_uid) + || (real_uid == exim_uid) +#ifdef CONFIGURE_OWNER + || (real_uid == config_uid) +#endif + )) + { + debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid); + return FALSE; + } + /* Get a list of macros which are whitelisted */ whitelisted = string_copy_malloc(US WHITELIST_D_MACROS); prev_char_item = FALSE; -- 2.25.1