From 8829633f58b90fda03309f65e6c099ed031005e3 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Sun, 22 Apr 2012 20:35:02 -0700 Subject: [PATCH] Always init_lookup_list before readconf_main. This happens while still root. Be more emphatic in EDITME about the security implications of loadable modules. --- src/src/EDITME | 10 +++++++++- src/src/exim.c | 18 +++++++++++------- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/src/src/EDITME b/src/src/EDITME index fc57054bf..01faca229 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -248,11 +248,19 @@ TRANSPORT_SMTP=yes #------------------------------------------------------------------------------ # See below for dynamic lookup modules. -# LOOKUP_MODULE_DIR=/usr/lib/exim/lookups/ +# # If not using package management but using this anyway, then think about how # you perform upgrades and revert them. You should consider the benefit of # embedding the Exim version number into LOOKUP_MODULE_DIR, so that you can # maintain two concurrent sets of modules. +# +# *BEWARE*: ability to modify the files in LOOKUP_MODULE_DIR is equivalent to +# the ability to modify the Exim binary, which is often setuid root! The Exim +# developers only intend this functionality be used by OS software packagers +# and we suggest that such packagings' integrity checks should be paranoid +# about the permissions of the directory and the files within. + +# LOOKUP_MODULE_DIR=/usr/lib/exim/lookups/ # To build a module dynamically, you'll need to define CFLAGS_DYNAMIC for # your platform. Eg: diff --git a/src/src/exim.c b/src/src/exim.c index 8df6aed54..90ecd0629 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -3456,6 +3456,17 @@ if ((filter_test & FTEST_USER) != 0) } } +/* Initialise lookup_list +If debugging, already called above via version reporting. +In either case, we initialise the list of available lookups while running +as root. All dynamically modules are loaded from a directory which is +hard-coded into the binary and is code which, if not a module, would be +part of Exim already. Ability to modify the content of the directory +is equivalent to the ability to modify a setuid binary! + +This needs to happen before we read the main configuration. */ +init_lookup_list(); + /* Read the main runtime configuration data; this gives up if there is a failure. It leaves the configuration file open so that the subsequent configuration data for delivery can be read if needed. */ @@ -3644,13 +3655,6 @@ if (opt_perl_at_start && opt_perl_startup != NULL) } #endif /* EXIM_PERL */ -/* Initialise lookup_list -If debugging, already called above via version reporting. -This does mean that debugging causes the list to be initialised while root. -This *should* be harmless -- all modules are loaded from a fixed dir and -it's code that would, if not a module, be part of Exim already. */ -init_lookup_list(); - /* Log the arguments of the call if the configuration file said so. This is a debugging feature for finding out what arguments certain MUAs actually use. Don't attempt it if logging is disabled, or if listing variables or if -- 2.25.1