FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 12-14-2010, 06:13 PM
Stephen Gran
 
Default exim-using packages - are you relying on -C or -D options?

This one time, at band camp, Ian Jackson said:
> Stephen Gran writes ("Re: exim-using packages - are you relying on -C
> or -D options?"):
>
> > The current alternative is to make exim refuse to execute if the
> > config file is not in a build-time configured directory. This is
> > what is being proposed, and if all your other config files are in
> > the same place, it sounds like this won't cause a problem for you.
>
> Right, I think it will be OK for me.
>
> Will it follow symlinks ? If so then the problem isn't that sever.

It doesn't appear to care about symlinks, from a quick read of exim.c.
It seems that so long as the directory name for the file passed to it
matches the configured directory name, it's happy. I would test this
rather than relying on my 5 minute guess about which is the right chunk
of code to read, though

Cheers,
--
-----------------------------------------------------------------
| ,'`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
 
Old 12-14-2010, 06:50 PM
Ian Jackson
 
Default exim-using packages - are you relying on -C or -D options?

Stephen Gran writes ("Re: exim-using packages - are you relying on -C or -D options?"):
> It doesn't appear to care about symlinks, from a quick read of exim.c.
> It seems that so long as the directory name for the file passed to it
> matches the configured directory name, it's happy. I would test this
> rather than relying on my 5 minute guess about which is the right chunk
> of code to read, though

Right. It should probably also refuse to read filenames matching
.* #* *# *~ *.tmp at the very least.

You wouldn't want to edit your exim.conf to get rid of a security
problem and find that the attacker could just tell it to use the old
file !

Ian.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 19719.51860.848292.372206@chiark.greenend.org.uk"> http://lists.debian.org/19719.51860.848292.372206@chiark.greenend.org.uk
 
Old 12-18-2010, 03:46 PM
Andreas Metzler
 
Default exim-using packages - are you relying on -C or -D options?

Ian Jackson <ijackson@chiark.greenend.org.uk> wrote:
[...]
> Right. It should probably also refuse to read filenames matching
> .* #* *# *~ *.tmp at the very least.

> You wouldn't want to edit your exim.conf to get rid of a security
> problem and find that the attacker could just tell it to use the old
> file !

Hello,
The current status (GIT head) simply adds a file which contains a *list*
of trusted configuration files instead of a prefix.

cu andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: c45vt7-d9v.ln1@argenau.downhill.at.eu.org">http://lists.debian.org/c45vt7-d9v.ln1@argenau.downhill.at.eu.org
 
Old 12-20-2010, 10:22 AM
Ian Jackson
 
Default exim-using packages - are you relying on -C or -D options?

Andreas Metzler writes ("Re: exim-using packages - are you relying on -C or -D options?"):
> The current status (GIT head) simply adds a file which contains a *list*
> of trusted configuration files instead of a prefix.

That's good enough for me. And it should be good enough for anyone
else because you can have anything which needs to generate a config on
the fly edit the list (via something like userv if it isn't already
running as root).

Thanks for taking the time to discuss and investigate this. I
appreciate the attention to detail and particularly to compatibility :-).

Ian.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 19727.15460.182545.128861@chiark.greenend.org.uk"> http://lists.debian.org/19727.15460.182545.128861@chiark.greenend.org.uk
 
Old 12-22-2010, 08:52 AM
Andreas Metzler
 
Default exim-using packages - are you relying on -C or -D options?

Ian Jackson <ijackson@chiark.greenend.org.uk> wrote:
> Andreas Metzler writes ("Re: exim-using packages - are you relying on -C or -D options?"):
>> The current status (GIT head) simply adds a file which contains a *list*
>> of trusted configuration files instead of a prefix.

> That's good enough for me. And it should be good enough for anyone
> else because you can have anything which needs to generate a config on
> the fly edit the list (via something like userv if it isn't already
> running as root).

> Thanks for taking the time to discuss and investigate this. I
> appreciate the attention to detail and particularly to compatibility :-).

Thank you for the feedback. The update seems to be more or less done
now.

http://www.bebt.de/blog/debian/archives/2010/12/21/T16_35_58/index.html

cu andreas


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: kbu8u7-86a.ln1@argenau.downhill.at.eu.org">http://lists.debian.org/kbu8u7-86a.ln1@argenau.downhill.at.eu.org
 

Thread Tools




All times are GMT. The time now is 02:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org