Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries
Dengler, Gabriel via Exim-users (Mi 02 Nov 2022 19:03:34
CET):
> About the security caveats: do you think that there could be bigger security
> issues if the code runs in an isolated environment like Gramine is? Or can
> you sketch how a possible security attack could look?
If I remember well, until we introduced keep_environment and
add_environment, the following was possible as an unprivileged user
("hans"):
$ export PERL5LIB=/home/hans
$ /usr/sbin/exim …
In the above scenario the Exim config used Perl functions,
loaded from external Perl modules (assuemed to be in one of the
default Perl library paths),
By the above modification an unprivileged user was able get more
privileges by "injecting" malicious Perl functions.
I can imagine that a similar approach will work with LD_LIBRARY_PATH.
But … doesn't the loader clean the LD_LIBRARY_PATH if the RUID differs
from the EUID?
See ld.so(8) for LD_LIBRARY_PATH. Given that, I'm curious why setting
this variable works in your environment.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries
Hey Jeremy, thanks, setting keep_environment = LD_LIBRARY_PATH in the main configuration file seemed to do the trick. About the security caveats: do you think that there could be bigger security issues if the code runs in an isolated environment like Gramine is? Or can you sketch how a possible security attack could look? Best regards, Gabriel On 02.11.22 16:50, Jeremy Harris via Exim-users wrote: On 31/10/2022 21:57, Dengler, Gabriel via Exim-users wrote: Currently unsolved is a problem regarding the LD_LIBRARY_PATH: in Gramine, you can define which libraries have to be loaded. If that operates by setting an LD_LIBRARY_PATH env var, you could try adding that to the main-config option "keep_environment". Do read the manual section on it regarding security caveats. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] licensing and SPDX
On Mon, 31 Oct 2022, Heiko Schlittermann via Exim-users wrote: From a legal point of view (but IANAL by any means), we probably could find an SPDX identifier matching the *current* license statement of each individual file, to match the *current* intent. This implicates that the *current* license is compatible with any previous one or is confirmed by the holder of the previous license. Changing *all* files might be doable, but I wouldn't feel comfortable doing so, because it would require me to understand the licensing details of every single file. 1) require *new* files having the SPDX identifier 2) (in a 2nd step) require modified files having that identifier Both should be doable with hooks in our Git repo. Theoretically 2) means we cannot change a file if we do not understand its licensing details :-( -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries
On 31/10/2022 21:57, Dengler, Gabriel via Exim-users wrote: Currently unsolved is a problem regarding the LD_LIBRARY_PATH: in Gramine, you can define which libraries have to be loaded. If that operates by setting an LD_LIBRARY_PATH env var, you could try adding that to the main-config option "keep_environment". Do read the manual section on it regarding security caveats. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim in Gramine: defining search path for loading dynamic libraries
Hello everyone,
I wanted to run Exim in Gramine. Gramine is a software to support the
so-called Intel Software Guard Extension (SGX) which allows running
software in enclaves separated from the host environment (cmp.
https://gramineproject.io/).
I've already made some great progress and resolved a lot of issues with
Gramine that I documented here:
https://github.com/gramineproject/gramine/discussions/1013
Currently unsolved is a problem regarding the LD_LIBRARY_PATH: in
Gramine, you can define which libraries have to be loaded. A common
configuration is, e.g., "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}",
where "arch_libdir = /lib/x86_64-linux-gnu/". On the first startup, this
is correctly recognized. However, when Exim sends an e-mail, Exim
internally invokes the "exec" system call and somehow seems to overwrite
the LD_LIBRARY_PATH, since it now searches in the directory
"/usr/local/lib/" for libraries.
As a first workaround, you can also mount the necessary libraries in the
folder "/usr/local/lib/", however, this is no elegant solution.
Therefore I tried out to modify Exim, e.g. by adding this path to
"LOOKUP_LIBS" in the Local Makefile, but without success. I also noticed
this post:
https://www.exim.org/exim-html-4.66/doc/html/FAQ-html/FAQ_0.html#TOC32
So, this is my question: how could you adjust the load library path?
Best regards,
Gabriel
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim MariaDB and SSL
On Wed, 2 Nov 2022, Brent Clark via Exim-users wrote: On 2022/11/01 13:06, Heiko Schlittermann via Exim-users wrote: ::()[group>]/// (I missed the related function call in Exim's sources.) So having TLS options in one of the my.cnf should work. Maybe you used the wrong option group (as JGH guessed), or the wrong file, or wrong permissions on the file, or any combination of all these. Thanks guys Got it working. You don't say which of these suggestions, if any, helped. If I can suggest ... to the powers that be. Maybe update and clarify in the documentation (an example too couldn't hurt). Use it ... don't use it. The PTB are overloaded. Would you care to write the changes you would like to see and submit them either here to exim-...@exim.org ? -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim MariaDB and SSL
On 2022/11/01 13:06, Heiko Schlittermann via Exim-users wrote: ::()[]/// (I missed the related function call in Exim's sources.) So having TLS options in one of the my.cnf should work. Maybe you used the wrong option group (as JGH guessed), or the wrong file, or wrong permissions on the file, or any combination of all these. Thanks guys Got it working. If I can suggest ... to the powers that be. Maybe update and clarify in the documentation (an example too couldn't hurt). Use it ... don't use it. Many thanks again to the community for the help. Regards Brent Clark -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
