From e2f5dc151e2e79058e93924e6d35510557f0535d Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Sat, 11 Dec 2010 14:09:17 +0000 Subject: [PATCH] Check configure file permissions even for non-default files if still privileged (Bug 1044, CVE-2010-4345) --- doc/doc-txt/ChangeLog | 5 +++++ src/src/exim.c | 7 ++++--- src/src/globals.c | 1 + src/src/globals.h | 1 + src/src/readconf.c | 6 +++--- 5 files changed, 14 insertions(+), 6 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 99a6f176b..0063c6be0 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -78,6 +78,11 @@ DW/22 Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a configuration file which is writeable by the Exim user or group. +DW/23 Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability + of configuration files to cover files specified with the -C option if + they are going to be used with root privileges, not just the default + configuration file. + Exim version 4.72 ----------------- diff --git a/src/src/exim.c b/src/src/exim.c index 50950faa5..0d8f24492 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -1848,6 +1848,7 @@ for (i = 1; i < argc; i++) config_main_filelist = argrest; config_changed = TRUE; + trusted_config = FALSE; } break; @@ -3046,7 +3047,7 @@ values (such as the path name). If running in the test harness, pretend that configuration file changes and macro definitions haven't happened. */ if (( /* EITHER */ - (config_changed || macros != NULL) && /* Config changed, and */ + (!trusted_config || macros != NULL) && /* Config changed, and */ real_uid != root_uid && /* Not root, and */ #ifndef ALT_CONFIG_ROOT_ONLY /* (when not locked out) */ real_uid != exim_uid && /* Not exim, and */ @@ -3265,7 +3266,7 @@ If ALT_CONFIG_ROOT_ONLY is defined, we don't know whether we were called by the built-in exim user or one defined in the configuration. In either event, re-enable log processing, assuming the sysadmin knows what they are doing. */ -if (removed_privilege && (config_changed || macros != NULL) && +if (removed_privilege && (!trusted_config || macros != NULL) && real_uid == exim_uid) { #ifdef ALT_CONFIG_ROOT_ONLY @@ -3277,7 +3278,7 @@ if (removed_privilege && (config_changed || macros != NULL) && else log_write(0, LOG_MAIN|LOG_PANIC, "exim user (uid=%d) is defined only at runtime; privilege lost for %s", - (int)exim_uid, config_changed? "-C" : "-D"); + (int)exim_uid, trusted_config? "-D" : "-C"); #endif } diff --git a/src/src/globals.c b/src/src/globals.c index 9b77d876b..f77fbcc63 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -1268,6 +1268,7 @@ tree_node *tree_nonrecipients = NULL; tree_node *tree_unusable = NULL; BOOL trusted_caller = FALSE; +BOOL trusted_config = TRUE; gid_t *trusted_groups = NULL; uid_t *trusted_users = NULL; uschar *timezone_string = US TIMEZONE_DEFAULT; diff --git a/src/src/globals.h b/src/src/globals.h index d66880e67..62dd6b04a 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -783,6 +783,7 @@ extern tree_node *tree_nonrecipients; /* Tree of nonrecipient addresses */ extern tree_node *tree_unusable; /* Tree of unusable addresses */ extern BOOL trusted_caller; /* Caller is trusted */ +extern BOOL trusted_config; /* Configuration file is trusted */ extern gid_t *trusted_groups; /* List of trusted groups */ extern uid_t *trusted_users; /* List of trusted users */ extern uschar *timezone_string; /* Required timezone setting */ diff --git a/src/src/readconf.c b/src/src/readconf.c index 080305834..118ccf5fe 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -2874,10 +2874,10 @@ else "configuration file %s", filename)); } -/* Check the status of the file we have opened, unless it was specified on -the command line, in which case privilege was given away at the start. */ +/* Check the status of the file we have opened, if we have retained root +privileges. */ -if (!config_changed) +if (trusted_config) { if (fstat(fileno(config_file), &statbuf) != 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to stat configuration file %s", -- 2.25.1