Earlier this week I had a discussion with Ian Jackson and Jon Amery about support for chiark's Exim configuration in Exim 4. They want to be able to run users' .forward files at verification time, in order to be able to reject local parts with affixes that the user has not defined. This works easily in Exim 3 because it is able to switch to any user's privilege context at verification time, so it can run the .forward file with the same privileges as the person who created the file. Exim 4 cannot do this.
What we want to be able to do is safely run a .forward file at verification time, with all the dangerous features turned off; then re-run it at delivery time with all the funky stuff available. I suggest the following changes to Exim to make this easier. (1) The set of forbid_filter_* options increases over time, and omitting one of them in this verification router opens a security hole. So I suggest a forbid_filter_all option which encompases all of them and will not become insecure in the future. Hmm. I have an uncommitted forbid_all option which was designed to make the redirect routers on ppswitch shorter, but it is too strict for the chiark configuration. See below for the draft patch. (2) As a counterpart to the forbid_filter_all option, we need an ignore_forbidden_expansions option, which means that forbidden expansions do not cause an error at verification time; instead Exim should just give the .forward file the benefit of the doubt. Would it be sufficient to just make them expand to the empty string? (3) A redirect router which has verify_only and check_local_user is a configuration error at the moment - it cannot work, because Exim cannot switch to the local user at verification time to run the router. I suggest that in this situation, Exim should omit the switch-to-user effects of check_local_user, and probably also automatically turn on forbid_filter_all and ignore_forbidden_expansions. Any comments on these suggestions? Philip, do you have time to do the coding? :-) Tony. -- <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> http://dotat.at/ ${sg{\N${sg{\ N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\ \N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}} --- routers/redirect.c 7 Feb 2006 11:19:02 -0000 1.15 +++ routers/redirect.c 12 Apr 2006 13:40:57 -0000 @@ -39,6 +39,8 @@ (void *)offsetof(redirect_router_options_block, file) }, { "file_transport", opt_stringptr, (void *)offsetof(redirect_router_options_block, file_transport_name) }, + { "forbid_all", opt_bool, + (void *)offsetof(redirect_router_options_block, forbid_all) }, { "forbid_blackhole", opt_bit | (RDON_BLACKHOLE << 16), (void *)offsetof(redirect_router_options_block, bit_options) }, { "forbid_exim_filter", opt_bit | (RDON_EXIM_FILTER << 16), @@ -209,6 +211,23 @@ if (rblock->unseen || rblock->expand_unseen != NULL) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n " "\"unseen\" may not be used with \"one_time\"", rblock->name); + } + +/* Handle the forbid_all option, which sets a load of other options. It must +also check that none of the allow_ settings have been enabled, because that +would be inconsistent. */ + +if (ob->forbid_all) + { + if ((ob->bit_options & (RDO_DEFER | RDO_FAIL | RDO_FILTER | RDO_FREEZE)) + != 0) + log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s router:\n " + "\"forbid_all\" may not be used with an \"allow_\" option", + rblock->name); + ob->forbid_pipe = ob->forbid_file = ob->forbid_filter_reply = TRUE; + ob->bit_options |= RDO_BLACKHOLE | RDO_EXIM_FILTER | RDO_DLFUNC | + RDO_EXISTS | RDO_LOG | RDO_LOOKUP | RDO_PERL | RDO_READFILE | + RDO_READSOCK | RDO_RUN | RDO_INCLUDE | RDO_SIEVE_FILTER; } /* The defaults for check_owner and check_group depend on other settings. The --- routers/redirect.h 7 Feb 2006 11:19:02 -0000 1.7 +++ routers/redirect.h 12 Apr 2006 13:40:57 -0000 @@ -48,6 +48,7 @@ BOOL check_ancestor; BOOL check_group; BOOL check_owner; + BOOL forbid_all; BOOL forbid_file; BOOL forbid_filter_reply; BOOL forbid_pipe; -- ## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
