On Mon, 3 Jun 2013, Allen Bell wrote: > But sometimes, the developer ego gets involved and once they make a > decision about the "right way" to do something it becomes cast in concrete.
I don't see how problems like this are in any way specific to free software. I suppose it might seem that way because, in proprietary software, such annoyances are forgotten among the annoying things they do to upsell you on other editions of the product, or to cuddle with the audio/video copyright lobby. > My case in point today is having installed the latest version of Exim and > finding that the directive placing "root" on the never list - cannot be > overridden. But this has nothing to do with developer ego. It's done that way to plug a real privilege escalation exploit. It's my fault, btw. The actual change was Philip's idea, but I pointed out this exploit to him back in 2003. The problem is the "-C" option, which specifies a different configuration file than that compiled in. As normally configured, Exim's use of the "exim user/group" persona is purely a security firebreak. It means that in many places a remote-execution vulnerabilty might be hiding, it will only give the attacker an "exim user" shell, not a root shell. But this is meaningless if there is a reliable way to escalate from the "exim user" to root. And before FIXED_NEVER_USERS, there was. All the attacker has to do is construct a configuration file that sets never_users blank and calls for a piped delivery using an executable he provides, to be run as root. As long as you start as the compiled-in exim user, Exim will honor a "-C" from the command-line and use its root privileges to execute that configuration. TL;DR - if an attacker gets an "exim user" shell, he can escalate to any user-id not in FIXED_NEVER_USERS. So it's a good idea to always have root in that list. ---- Michael Deutschmann <[email protected]> -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
