Re: [exim] Taint checking and exim 4.96rc0
Dňa 29. apríla 2022 21:41:55 UTC používateľ Kirill Miazine via Exim-users napísal: >I'd welcome some generic way to untaint data. E.g. Perl would allow to >subpatterns from regular expression match to untaint parts of data. For >local parts and domains there's kind of a way, but for local part >affixes or sender addresses, I couldn't find a way. Yes, as i wrote the same already some time ago, some generic ${detaint:...} expansion is missing. All current solutions are based on "local" DB lookup. But it is not suitable e.g. to my case, where i verify recipients from my MX to my other MTA (where local DB are stored) by callout. But that doey not detaint recipient address nor domain, thus i have to use some tricks to be able to use per recipient/domain (something as) quarantine on MX... As redis support is not full (and on Debian is missing at all) i use ${run ...} to communicate with redis and i afraid, that i will have problems to use it in new version, etc, etc. I have very mixed feel. And i can only afraid, what will arrive next. Perhaps reject to detaint by that local DB values (as someone can insert insecure values there)? After more than 30 years in computer & network word i learn, that software can either allow to do flexible configuration (including mistakes) or do not allow to do mistakes (but without flexibility), never can be achieved both at once... Until recent, exim was in the first case and we will see, where it go. Regards -- Slavko -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Taint checking and exim 4.96rc0
On 29/04/2022 22:41, Kirill Miazine via Exim-users wrote: I'd welcome some generic way to untaint data. If you know of one which does not require a list of known-good values, and is not trivially abusable by blind copy-pasting of recipes found on random blogs - I'm all ears. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Taint checking and exim 4.96rc0
• Heiko Schlittermann via Exim-users [2022-04-29 21:07]: [...] > The "allow_insecure_tainted_data" was introduced to ease the migration > from 4.94 to 4.95, giving you/us a timeframe to upgrade existing > configurations to be taintproof. > > Before upgrading to 4.96 you should have a taintproof (secure) > configuration. The deprecation of "allow_insecure_tainted_data" was > announced with the advent of this option already. > > Which point did I miss? Do we have *new* taintchecks that break > configurations that were considered secure with 4.95? I had a setup which didn't use allow_insecure_tainted_data, but I was hit by JH/25 Taint-check exec arguments for transport-initiated external processes. Previously, tainted values could be used. This affects "pipe", "lmtp" and "queryprogram" transport, transport-filter, and ETRN commands. The ${run} expansion is also affected: in "preexpand" mode no part of the command line may be tainted, in default mode the executable name may not be tainted. I welcome taint checking facilities, but I'm afraid that the introduction of taint checking for exec arguments will cause lots of broken configurations. Even the Exim spec has (had) examples which would be broken by the change. When shell is not used, the only reason for tain checking argument would be to protect the command being called in case it's not prepared to deal with malicious arguments. When using Perl's taint checking facilities (-T) some 20 years ago, I remember I spent quite a while reading perlsec(1). Memories from that time helped me when trying to understand taint checking in Exim. The Exim documentation is still not very detailed about the concept. I'm not ready to write anything, as I haven't gained enough understanding myself yet. I'd welcome some generic way to untaint data. E.g. Perl would allow to subpatterns from regular expression match to untaint parts of data. For local parts and domains there's kind of a way, but for local part affixes or sender addresses, I couldn't find a way. > Best regards from Dresden/Germany > Viele Grüße aus Dresden > Heiko Schlittermann > -- > SCHLITTERMANN.de internet & unix support - > Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - > gnupg encrypted messages are welcome --- key ID: F69376CE - -- -- Kirill Miazine -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Taint checking and exim 4.96rc0
Dean Brooks via Exim-users wrote: > On Fri, Apr 29, 2022 at 05:16:45PM +0100, Andrew C Aitchison via Exim-users > wrote: > > > Given that taint checking appeared in Exim 4.93 and > > allow_insecure_tainted_data in Exim 4.95, > > this (Exim 4.96) would be the first time that allow_insecure_tainted_data > > would actually be helpful. > > > > Is it just me, or are others worried about the new taint checking > > having unexpected consequences and no way to disable it for debugging ? > > I'd prefer the allow_insecure_tainted_data never be removed, now or in the > future. At the least, as an experimental feature that requires intentional > enabling during a source build. At the worst as a separate community > maintained patch against the official source for each new release. > Maintaining production mail systems that handle millions of messages a month > is no trivial feat, and a single taint failure can turn (and has turned) a > routine upgrade plan into a mess. 100% agreement. Having to include it as build option is reasonable. Michael -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Taint checking and exim 4.96rc0
Andrew C Aitchison via Exim-users (Fr 29 Apr 2022 18:16:45 CEST): > To which Jeremy replied: > > The trouble with that is that it means the coverage of tracking > > tainted data use can never be extended. > > > > The commit for that removal is fairly extensive: > - see https://lists.exim.org/lurker/message/20220427.174941.443df2eb.en.html > for the 27 reverts and 35 files changed. > > Given that taint checking appeared in Exim 4.93 and > allow_insecure_tainted_data in Exim 4.95, > this (Exim 4.96) would be the first time that allow_insecure_tainted_data > would actually be helpful. > > Is it just me, or are others worried about the new taint checking > having unexpected consequences and no way to disable it for debugging ? The "allow_insecure_tainted_data" was introduced to ease the migration from 4.94 to 4.95, giving you/us a timeframe to upgrade existing configurations to be taintproof. Before upgrading to 4.96 you should have a taintproof (secure) configuration. The deprecation of "allow_insecure_tainted_data" was announced with the advent of this option already. Which point did I miss? Do we have *new* taintchecks that break configurations that were considered secure with 4.95? Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Taint checking and exim 4.96rc0
On Fri, Apr 29, 2022 at 05:16:45PM +0100, Andrew C Aitchison via Exim-users wrote: > Given that taint checking appeared in Exim 4.93 and > allow_insecure_tainted_data in Exim 4.95, > this (Exim 4.96) would be the first time that allow_insecure_tainted_data > would actually be helpful. > > Is it just me, or are others worried about the new taint checking > having unexpected consequences and no way to disable it for debugging ? I'd prefer the allow_insecure_tainted_data never be removed, now or in the future. At the least, as an experimental feature that requires intentional enabling during a source build. At the worst as a separate community maintained patch against the official source for each new release. Maintaining production mail systems that handle millions of messages a month is no trivial feat, and a single taint failure can turn (and has turned) a routine upgrade plan into a mess. Thanks, Dean -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Taint checking and exim 4.96rc0
On Mon, 25 Apr 2022, Kirill Miazine via Exim-dev wrote: Beware that the just released RC0 for Exim 4.96 may break your Dovecot LDA delivery. It did break mine, which is similar to what is described on https://wiki.dovecot.org/LDA/Exim Here is the relevant ChangeLog entry: JH/25 Taint-check exec arguments for transport-initiated external processes. Previously, tainted values could be used. This affects "pipe", "lmtp" and "queryprogram" transport, transport-filter, and ETRN commands. The ${run} expansion is also affected: in "preexpand" mode no part of the command line may be tainted, in default mode the executable name may not be tainted. Jeremy Harris via Exim-announce [2022-04-23 20:23]: > Notable removals since 4.95: > > - the "allow_insecure_tainted_data" main config option and the > "taint" log_selector. These were previously deprecated. That seemed like an unfortunate combination to me, so over on the exim-dev list https://lists.exim.org/lurker/message/20220426.072833.c68602fb.en.html I asked: That isn't a good combination. Please could we keep the option to allow_insecure_tainted_data if there are new taint features ? That way we can continue to run live systems while we resolve these sort of problems. To which Jeremy replied: The trouble with that is that it means the coverage of tracking tainted data use can never be extended. The commit for that removal is fairly extensive: - see https://lists.exim.org/lurker/message/20220427.174941.443df2eb.en.html for the 27 reverts and 35 files changed. Given that taint checking appeared in Exim 4.93 and allow_insecure_tainted_data in Exim 4.95, this (Exim 4.96) would be the first time that allow_insecure_tainted_data would actually be helpful. Is it just me, or are others worried about the new taint checking having unexpected consequences and no way to disable it for debugging ? -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/