Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Chris Edwards via Exim-users (Sa 08 Mai 2021 13:15:45 CEST): > On Tue, 6 Apr 2021, Heiko Schlittermann via Exim-users wrote: > > > Currently I'm running this on a production systems without any issues so > > far. You're invited to do tests in your systems too. > > Trying this version, with allow_insecure_tainted_data set, then this: > > testlist: > driver = redirect > data = :include:/some/where/${local_part} > > fails with error: > > LOG: MAIN PANIC DIE > Taint mismatch, Ustrncpy: parse_forward_list 1393 > > It looks like the :include: might be the issue. > > Not a problem here as I've now detainted this, but thought to report back. Thanks, I'll try to reproduce it, and fix it. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
On Tue, 6 Apr 2021, Heiko Schlittermann via Exim-users wrote: "ALLOW_INSECURE_TAINTED_DATA", currently enabled. Using this build time option provides a new runtime option "allow_insecure_tainted_data", which turns taint errors into warnings (and spams your log file). [...] Currently I'm running this on a production systems without any issues so far. You're invited to do tests in your systems too. Trying this version, with allow_insecure_tainted_data set, then this: testlist: driver = redirect data = :include:/some/where/${local_part} fails with error: LOG: MAIN PANIC DIE Taint mismatch, Ustrncpy: parse_forward_list 1393 It looks like the :include: might be the issue. Not a problem here as I've now detainted this, but thought to report back. Cheers Chris -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Thank you for spending your time :) Andreas Metzler via Exim-users (So 25 Apr 2021 08:12:58 CEST): > void > -openlogs(); > +open_logs(const char *m); > is the proper fix? It is one possible fix. But the char* isn't used anymore (was there for debugging). I updated the branch. > log.c: In function 'set_file_path': > log.c:654:45: warning: pointer type mismatch in conditional expression > 654 | uschar *ss = *log_file_path ? log_file_path : LOG_FILE_PATH; Same here. Fixed. > In file included from exim.h:486, > from log.c:13: > log.c:657:31: warning: passing argument 1 of 'string_nextinlist_trc' from > incompatible pointer type [-Wincompatible-pointer-types] > 657 | while ((s = string_nextinlist(, , log_buffer, > LOG_BUFFER_SIZE))) > functions.h:560:25: note: in definition of macro 'string_nextinlist' > 560 | string_nextinlist_trc((lp), (sp), (b), (l), US __FUNCTION__, > __LINE__) ditto. And finally I set my compiler options to be about the same as yours. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
On 2021-04-25 Andreas Metzler wrote: > On 2021-04-24 Heiko Schlittermann wrote: > > I believe, the issue is fixed now. I'd be happy, if you **or anybody > > else** can give it a try. To avoid cluttering the official Exim repo, > > this branch is still only in my private but public repositories: > [...] > Good morning Heiko, > thank you. Will upload to Debian/experimental. [...] Hello, I forgot to confirm that the updated patchset fixes the error I had reported. ;-) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
On 2021-04-24 Heiko Schlittermann wrote: > I believe, the issue is fixed now. I'd be happy, if you **or anybody > else** can give it a try. To avoid cluttering the official Exim repo, > this branch is still only in my private but public repositories: [...] Good morning Heiko, thank you. Will upload to Debian/experimental. Compiler throws two new warnings: appendfile.c: In function 'appendfile_transport_setup': appendfile.c:238:1: warning: implicit declaration of function 'open_logs'; did you mean 'openlogs'? [-Wimplicit-function-declaration] 238 | open_logs("appendfile"); | ^ | openlogs I guess void -openlogs(); +open_logs(const char *m); is the proper fix? log.c: In function 'set_file_path': log.c:654:45: warning: pointer type mismatch in conditional expression 654 | uschar *ss = *log_file_path ? log_file_path : LOG_FILE_PATH; | ^ In file included from exim.h:486, from log.c:13: log.c:657:31: warning: passing argument 1 of 'string_nextinlist_trc' from incompatible pointer type [-Wincompatible-pointer-types] 657 | while ((s = string_nextinlist(, , log_buffer, LOG_BUFFER_SIZE))) functions.h:560:25: note: in definition of macro 'string_nextinlist' 560 | string_nextinlist_trc((lp), (sp), (b), (l), US __FUNCTION__, __LINE__) | ^~ functions.h:561:53: note: expected 'const uschar **' {aka 'const unsigned char **'} but argument is of type 'uschar **' {aka 'unsigned char **'} 561 | extern uschar *string_nextinlist_trc(const uschar **listptr, int *separator, uschar *buffer, int buflen, | ~~~^~~ cu Andreas -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Hi Andreas, I believe, the issue is fixed now. I'd be happy, if you **or anybody else** can give it a try. To avoid cluttering the official Exim repo, this branch is still only in my private but public repositories: https://git.exim.org/users/heiko/exim.git/shortlog/refs/heads/exim-4.94+fixes+taintwarn https://gitea.schlittermann.de/heiko/exim/src/branch/exim-4.94+fixes+taintwarn Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Hi Andreas, the problem isn't caused by the new allow_insecure_tainted_data, but these warnings trigger the issue. We're in progress fixing it. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Heiko Schlittermann via Exim-users (So 11 Apr 2021 09:08:10 CEST): > Hi Andreas, > > which commit ID your build is based on? I'd like to reproduce it > locally. I can reproduce it using a minimal config, going to check it now. (The version I'm running on production systems doesn't do local delivery.) allow_insecure_tainted_data = yes log_selector = +pid acl_smtp_rcpt = accept begin routers accept: driver = accept check_local_user transport = local begin transports local: driver = appendfile group = mail file = /opt/exim/spool/mail/$local_part -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Hi Andreas, which commit ID your build is based on? I'd like to reproduce it locally. Andreas Metzler via Exim-users (So 11 Apr 2021 08:51:48 CEST): > On 2021-04-06 Heiko Schlittermann via Exim-users wrote: > [...] > > .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA > > allow_insecure_tainted_data = yes > > .endif > > Hello, > > I just did a test build on the fixes branch, added the > allow_insecure_tainted_data setting and changed the mail_spool > transport: > - file = /var/mail/$local_part_data > + file = /var/mail/$local_part > > Success was limited though. Without the patch the message delivery is > deferred. With the patch the message is frozen for > "allow_insecure_tainted_data = yes" (log file excerpt below). > > ==> /var/log/exim4/mainlog <== > 2021-04-11 08:26:08 1lVTXs-000F7W-0D <= ametz...@bebt.de H=localhost > (argenau.bebt.de) [::1] P=esmtp S=476 id=20210411082607.058...@argenau.bebt.de > 2021-04-11 08:26:08 1lVTXs-000F7W-0D failed to read delivery status for > ametzler@localhost from delivery subprocess > > Debug log: … > 08:26:08 58130 ╰──(tainted) > 08:26:08 58130 LOG: MAIN > 08:26:08 58130 Warning: Tainted '/var/mail/ametzler' (file or directory > name for mail_spool transport) not permitted > 2021-04-11 08:26:08 1lVTXs-000F7W-0D Warning: Tainted '/var/mail/ametzler' > (file or directory name for mail_spool transport) not permitted … > 08:26:08 58130 lock name: /var/mail/ametzler.lock > 08:26:08 58130 hitch name: > /var/mail/ametzler.lock.argenau.bebt.de.60729680.e312 > 08:26:08 58130 LOG: MAIN > 08:26:08 58130 Warning: Tainted filename > '/var/mail/ametzler.lock.argenau.bebt.de.60729680.e312' > 08:26:08 58128 LOG: MAIN PANIC > 08:26:08 58128 failed to read delivery status for ametzler@localhost from > delivery subprocess Is there any indication that the child (delivery process) crashed? > BTW the build-log with patch is very noisy: > --- > cc -c -g -O2 -ffile-prefix-map=/dev/shm/EXIM4/exim-4.94=. > -fstack-protector-strong -Wformat -Werror=format-security > -D_LARGEFILE_SOURCE -fno-strict-aliasing -Wall -Wdate-time > -D_FORTIFY_SOURCE=2 -fvisibility=hidden -DCOMPILE_UTILITY -o util-spool_in.o > spool_in.c > In file included from exim.h:486, I'll check that noise. Thx. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
On 2021-04-06 Heiko Schlittermann via Exim-users wrote: [...] > .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA > allow_insecure_tainted_data = yes > .endif Hello, I just did a test build on the fixes branch, added the allow_insecure_tainted_data setting and changed the mail_spool transport: - file = /var/mail/$local_part_data + file = /var/mail/$local_part Success was limited though. Without the patch the message delivery is deferred. With the patch the message is frozen for "allow_insecure_tainted_data = yes" (log file excerpt below). ==> /var/log/exim4/mainlog <== 2021-04-11 08:26:08 1lVTXs-000F7W-0D <= ametz...@bebt.de H=localhost (argenau.bebt.de) [::1] P=esmtp S=476 id=20210411082607.058...@argenau.bebt.de 2021-04-11 08:26:08 1lVTXs-000F7W-0D failed to read delivery status for ametzler@localhost from delivery subprocess Debug log: 08:26:08 58128 R: local_user for ametzler@localhost 08:26:08 58128 calling local_user router 08:26:08 58128 local_user router called for ametzler@localhost 08:26:08 58128 domain = localhost 08:26:08 58128 set transport mail_spool 08:26:08 58128 queued for mail_spool transport: local_part = ametzler 08:26:08 58128 domain = localhost 08:26:08 58128 errors_to=NULL 08:26:08 58128 domain_data=localhost local_part_data=ametzler 08:26:08 58128 routed by local_user router 08:26:08 58128 envelope to: ametzler@localhost 08:26:08 58128 transport: mail_spool 08:26:08 58128 >> 08:26:08 58128 After routing: 08:26:08 58128 Local deliveries: 08:26:08 58128 ametzler@localhost 08:26:08 58128 Remote deliveries: 08:26:08 58128 Failed addresses: 08:26:08 58128 Deferred addresses: 08:26:08 58128 search_tidyup called 08:26:08 58128 Local deliveries 08:26:08 58128 > ametzler@localhost < 08:26:08 58128 locking /var/spool/exim4/db/retry.lockfile 08:26:08 58128 locked /var/spool/exim4/db/retry.lockfile 08:26:08 58128 EXIM_DBOPEN: file dir flags=O_RDONLY 08:26:08 58128 returned from EXIM_DBOPEN: 0x55693f0b8380 08:26:08 58128 opened hints database /var/spool/exim4/db/retry: flags=O_RDONLY 08:26:08 58128 dbfn_read: key=T:ametzler@localhost 08:26:08 58128 retry record exists: age=5m11s (max 1w) 08:26:08 58128 time to retry = 9m49s expired = 0 08:26:08 58128 EXIM_DBCLOSE(0x55693f0b8380) 08:26:08 58128 closed hints database and lockfile 08:26:08 58128 search_tidyup called 08:26:08 58128 daemon-accept-delivery forking for delivery-local 08:26:08 58128 daemon-accept-delivery forked for delivery-local: 58130 08:26:08 58130 postfork: delivery-local 08:26:08 58130 changed uid/gid: local delivery to ametzler transport=mail_spool 08:26:08 58130 uid=1001 gid=8 pid=58130 08:26:08 58130 auxiliary group list: 08:26:08 58130 home=/home/ametzler current=/home/ametzler 08:26:08 58130 set_process_info: 58130 delivering 1lVTXs-000F7W-0D to ametzler using mail_spool 08:26:08 58130 ╭considering: T: appendfile for $local_part@$domain 08:26:08 58130 ├──expanding: T: appendfile for $local_part@$domain 08:26:08 58130 ╰─result: T: appendfile for ametzler@localhost 08:26:08 58130 ╰──(tainted) 08:26:08 58130 T: appendfile for ametzler@localhost 08:26:08 58130 appendfile transport entered 08:26:08 58130 ╭considering: /var/mail/$local_part 08:26:08 58130 ├──expanding: /var/mail/$local_part 08:26:08 58130 ╰─result: /var/mail/ametzler 08:26:08 58130 ╰──(tainted) 08:26:08 58130 LOG: MAIN 08:26:08 58130 Warning: Tainted '/var/mail/ametzler' (file or directory name for mail_spool transport) not permitted 2021-04-11 08:26:08 1lVTXs-000F7W-0D Warning: Tainted '/var/mail/ametzler' (file or directory name for mail_spool transport) not permitted 08:26:08 58130 appendfile: mode=660 notify_comsat=0 quota=0 warning=0 08:26:08 58130 file=/var/mail/ametzler format=unix 08:26:08 58130 message_prefix=From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n 08:26:08 58130 message_suffix=\n 08:26:08 58130 maildir_use_size_file=no 08:26:08 58130 locking by lockfile fcntl 08:26:08 58130 lock name: /var/mail/ametzler.lock 08:26:08 58130 hitch name: /var/mail/ametzler.lock.argenau.bebt.de.60729680.e312 08:26:08 58130 LOG: MAIN 08:26:08 58130 Warning: Tainted filename '/var/mail/ametzler.lock.argenau.bebt.de.60729680.e312' 08:26:08 58128 LOG: MAIN PANIC 08:26:08 58128 failed to read delivery status for ametzler@localhost from delivery subprocess 08:26:08 58128 LOG: MAIN PANIC 08:26:08 58128 appendfile transport process returned non-zero status 0x0100: exit code 1 08:26:08 58128 mail_spool transport returned DEFER for ametzler@localhost 08:26:08 58128 added retry item for T:ametzler@localhost: errno=-1 more_errno=0 flags=0 08:26:08 58128 post-process ametzler@localhost (1) 08:26:08 58128 LOG: MAIN 08:26:08 58128 == ametzler@localhost R=local_user T=mail_spool defer (-1) BTW the build-log with
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Andreas Metzler via Exim-users (Sa 10 Apr 2021 18:06:05 CEST): > On 2021-04-06 Heiko Schlittermann via Exim-users wrote: > [...] > > .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA > > allow_insecure_tainted_data = yes > > .endif > [...] > > Suggestions, question, remarks are welcome. > > Nitpicks: > * The changes to doc/NewStuff should not be on +fixes. > * typos in spec.xftp: s/acessing/accessing/ Ok, I'll fix that, thank you. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Andreas Metzler via Exim-users (Sa 10 Apr 2021 17:37:56 CEST): > On 2021-04-06 Heiko Schlittermann via Exim-users wrote: > [...] > > .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA > > allow_insecure_tainted_data = yes > > .endif > [...] > > But as soon as the work stabilizes, it will be merged into the upstream > > source. (For now, please expect changes in the commit history!) > [...] > > Suggestions, question, remarks are welcome. > > Thank you Heiko! > > I plan to add this to the next Debian release but without "taintwarn: > set allow_insecure_data = true for 4.94+fixes". - I think it will work > out better if we have a big fat warning It would be good if we find more testers. Anybody out there? Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
On 2021-04-06 Heiko Schlittermann via Exim-users wrote: [...] > .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA > allow_insecure_tainted_data = yes > .endif [...] > Suggestions, question, remarks are welcome. Nitpicks: * The changes to doc/NewStuff should not be on +fixes. * typos in spec.xftp: s/acessing/accessing/ cu Andreas -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
On 2021-04-06 Heiko Schlittermann via Exim-users wrote: [...] > .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA > allow_insecure_tainted_data = yes > .endif [...] > But as soon as the work stabilizes, it will be merged into the upstream > source. (For now, please expect changes in the commit history!) [...] > Suggestions, question, remarks are welcome. Thank you Heiko! I plan to add this to the next Debian release but without "taintwarn: set allow_insecure_data = true for 4.94+fixes". - I think it will work out better if we have a big fat warning | Consider this a major exim release, almost all customized configurations | will require changes ... and a note on how to *temporary* work around this by setting allow_insecure_tainted_data in advance. If I do not do this I expect a neverending list of reports about either spammed logfile or breakage reports on 4.95. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Hi, finally a follow-up. > In one word "upvote". > > I am all for improved security but a single "step change" that breaks > existing configurations is IMHO going too far. > > taint_mode = off | warn | enforce .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA allow_insecure_tainted_data = yes .endif The EDITME contains a new build time option "ALLOW_INSECURE_TAINTED_DATA", currently enabled. Using this build time option provides a new runtime option "allow_insecure_tainted_data", which turns taint errors into warnings (and spams your log file). If you do not want the warnings logged, you can use the "tainted" log selector to switch off the warnings. The *allow_insecure_tainted_data" is deprecated already today and future versions of Exim (no schedule yet) will ignore this option. It's purely meant as mitigation during upgrades. I hope we can introduce this mitigation into 4.94+fixes and into the upcoming 4.95. But we need testing. For now I'm doing the work on my own but public Exim repos: - https://gitea.schlittermann.de/HeikoSchlittermann/exim/src/branch/exim-4.94+fixes+taintwarn - https://git.exim.org/users/heiko/exim.git/shortlog/refs/heads/exim-4.94+fixes+taintwarn But as soon as the work stabilizes, it will be merged into the upstream source. (For now, please expect changes in the commit history!) Currently I'm running this on a production systems without any issues so far. You're invited to do tests in your systems too. (The above mentioned branch is cherry-picked and squashed from the "hs/wip/taintwarn" branch, which is based on the current master. - https://gitea.schlittermann.de/HeikoSchlittermann/exim/src/branch/hs/wip/taintwarn - https://git.exim.org/users/heiko/exim.git/shortlog/refs/heads/hs/wip/taintwarn Same here, please expect rewrites of the Git history, as long as I'm working on it. Suggestions, question, remarks are welcome. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/