On Sat, Jun 17, 2006 at 11:39:29PM +0200, Magnus Holmgren wrote:
> On Saturday 17 June 2006 22:22, Robert Millan took the opportunity to write:
> > On Sat, Jun 17, 2006 at 09:59:32PM +0200, Magnus Holmgren wrote:
> > > > It seems it needs a bit more than access to the files:
> > > >
> > > >   2006-06-17 21:33:04 unable to set gid=1001 or uid=1001 (euid=102):
> > > > userforward router (recipient is [EMAIL PROTECTED])
> > > >
> > > > The ~/.forward files are world-readable, so why does it attempt
> > > > setgid/setuid? Can we still avoid running exim as root?
> > >
> > > Yeees, I forgot that. Exim always tries to setuid/setgid to the user and
> > > group given by those options or check_local_user, for security reasons I
> > > think. You could add a verify_only router, but then you can't use $home.
> >
> > I don't understand.  How can failure to drop privileges be a critical
> > error? When it runs as root, this never happens.  When it runs as user, it
> > isn't necessary (although access could be denied if user is not the same).
> 
> Because if you allow user-supplied filter files to be run as the exim user, 
> the users can (by default) do anything they want as that user. It's not root, 
> but it still has privileges users aren't supposed to have.

Oh, right.  I forgot that's as easy as "|/tmp/evil-script".

Perhaps we could define a separate interface for filters that happen before
accepting mail?  For example, ~/.preforward, and have things like:

  # Returns "251 User not local; will forward to <[EMAIL PROTECTED]>".
  # Actual forwarding is determined by ~/.forward.  This leaves us with room
  # to do other tricky things like procmail, bayesian filtering, etc.
  forward [EMAIL PROTECTED]
  finish

and:

  # Returns "551 User not local; please try <[EMAIL PROTECTED]>"
  # No delivering happens on our part (mail is rejected).
  forward [EMAIL PROTECTED]
  fail

Just two commands are enough to determine 251/551 actions, without compromising
security.  I think this would be feasible as long as exim user has read
permission to ~user/.preforward.

What do you think?

Btw, should we move this to the developer list?

-- 
Robert Millan

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Reply via email to