On Sat, Jun 17, 2006 at 11:39:29PM +0200, Magnus Holmgren wrote: > On Saturday 17 June 2006 22:22, Robert Millan took the opportunity to write: > > On Sat, Jun 17, 2006 at 09:59:32PM +0200, Magnus Holmgren wrote: > > > > It seems it needs a bit more than access to the files: > > > > > > > > 2006-06-17 21:33:04 unable to set gid=1001 or uid=1001 (euid=102): > > > > userforward router (recipient is [EMAIL PROTECTED]) > > > > > > > > The ~/.forward files are world-readable, so why does it attempt > > > > setgid/setuid? Can we still avoid running exim as root? > > > > > > Yeees, I forgot that. Exim always tries to setuid/setgid to the user and > > > group given by those options or check_local_user, for security reasons I > > > think. You could add a verify_only router, but then you can't use $home. > > > > I don't understand. How can failure to drop privileges be a critical > > error? When it runs as root, this never happens. When it runs as user, it > > isn't necessary (although access could be denied if user is not the same). > > Because if you allow user-supplied filter files to be run as the exim user, > the users can (by default) do anything they want as that user. It's not root, > but it still has privileges users aren't supposed to have.
Oh, right. I forgot that's as easy as "|/tmp/evil-script". Perhaps we could define a separate interface for filters that happen before accepting mail? For example, ~/.preforward, and have things like: # Returns "251 User not local; will forward to <[EMAIL PROTECTED]>". # Actual forwarding is determined by ~/.forward. This leaves us with room # to do other tricky things like procmail, bayesian filtering, etc. forward [EMAIL PROTECTED] finish and: # Returns "551 User not local; please try <[EMAIL PROTECTED]>" # No delivering happens on our part (mail is rejected). forward [EMAIL PROTECTED] fail Just two commands are enough to determine 251/551 actions, without compromising security. I think this would be feasible as long as exim user has read permission to ~user/.preforward. What do you think? Btw, should we move this to the developer list? -- Robert Millan -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
