On 2011-10-10 at 16:39 +1000, Russell Stuart wrote: > I gather from the exim's man page that -D option is now frowned upon. > In fact if I read it correctly it doesn't work at all unless I do a > custom compile setting WHITELIST_D_MACROS. So what is preferred > mechanism for giving exim information? Is there another command line > switch, or is there some way to extract it from the environment?
Build Exim with TRUSTED_CONFIG_LIST defined; that points to a file listing the paths of defined-by-admin-to-be-safe config files. Use another config file which sets a couple of macros and then .include's the real config file, and then reference this new config file in the trusted list. That way, the precise set of available macros is locked down to files controlled/owned by root, or the configure owner (which should _not_ include the Exim run-time user). Sorry, the old freedom made it far too easy to escalate privileges from the Exim run-time user to root (unless you built Exim as setuid to a dedicated user instead of root, per some of the pointers in "52. Security considerations"). -Phil
pgpfl3YnFccWo.pgp
Description: PGP signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
