FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 12-12-2010, 01:50 PM
Andreas Metzler
 
Default exim-using packages - are you relying on -C or -D options?

Hello,

fixing the exim privilege escalation bug
http://bugs.exim.org/show_bug.cgi?id=1044 /might/ break exim's -C (use
an alternate configuration file) or -D (set macro value) command line
options. I am wondering how much collateral damage this would cause.

Do you know packages that rely on the -D or -C options? For -C
option, in which directory is the alternate configuration file searched
for?

I have already found mailscanner (uses -D) and I think amavisd-new
would continue to work (verification welcome ). Any other candidates?

thanks, cu andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101212145053.GF2099@downhill.g.la">http://lists.debian.org/20101212145053.GF2099@downhill.g.la
 
Old 12-12-2010, 07:21 PM
Heiko Schlittermann
 
Default exim-using packages - are you relying on -C or -D options?

Hello,

not talking about packages but about daily use…

Andreas Metzler <ametzler@downhill.at.eu.org> (So 12 Dez 2010 15:50:53 CET):
> Hello,
>
> fixing the exim privilege escalation bug
> http://bugs.exim.org/show_bug.cgi?id=1044 /might/ break exim's -C (use
> an alternate configuration file) or -D (set macro value) command line
> options. I am wondering how much collateral damage this would cause.
>
> Do you know packages that rely on the -D or -C options? For -C
> option, in which directory is the alternate configuration file searched
> for?

I didn't follow the whole discussion, I just wanted to note, that there
*should* be a possibility to start exim with an alternative config file.

This is used for just checking the config file before moving it to the
final place, and for some test installations or even running exims on
different IPs with different configs.

--
Heiko
 
Old 12-12-2010, 08:35 PM
Ian Jackson
 
Default exim-using packages - are you relying on -C or -D options?

Andreas Metzler writes ("exim-using packages - are you relying on -C or -D options?"):
> Do you know packages that rely on the -D or -C options? For -C
> option, in which directory is the alternate configuration file searched
> for?

sauce uses the -C option. And chiark's mail system relies on -C very
heavily in other ways. Please don't break it.

Ian.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 19717.16407.784422.915704@chiark.greenend.org.uk"> http://lists.debian.org/19717.16407.784422.915704@chiark.greenend.org.uk
 
Old 12-13-2010, 06:45 AM
Stephen Gran
 
Default exim-using packages - are you relying on -C or -D options?

This one time, at band camp, Ian Jackson said:
> Andreas Metzler writes ("exim-using packages - are you relying on -C or -D options?"):
> > Do you know packages that rely on the -D or -C options? For -C
> > option, in which directory is the alternate configuration file searched
> > for?
>
> sauce uses the -C option. And chiark's mail system relies on -C very
> heavily in other ways. Please don't break it.

Can it limit itsef to a choice of two non world-writable directories?
That is the only current way to keep a successful break-in to the exim
account from escalating to root. There is a patch on exim-dev to allow
this to work without escalated privileges, but it's not in the lenny
exim.

Cheers,
--
-----------------------------------------------------------------
| ,'`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
 
Old 12-13-2010, 11:13 AM
Ian Jackson
 
Default exim-using packages - are you relying on -C or -D options?

Stephen Gran writes ("Re: exim-using packages - are you relying on -C or -D options?"):
> This one time, at band camp, Ian Jackson said:
> > sauce uses the -C option. And chiark's mail system relies on -C very
> > heavily in other ways. Please don't break it.
>
> Can it limit itsef to a choice of two non world-writable directories?

The other config files are in /etc/exim4 just like the main one, if
that's what you mean.

> That is the only current way to keep a successful break-in to the exim
> account from escalating to root. There is a patch on exim-dev to allow
> this to work without escalated privileges, but it's not in the lenny
> exim.

Are you saying the current exim4 package in lenny-security already has
the disability you are discussing ?

Ian.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 19718.3565.160216.465112@chiark.greenend.org.uk">h ttp://lists.debian.org/19718.3565.160216.465112@chiark.greenend.org.uk
 
Old 12-14-2010, 09:53 AM
Stephen Gran
 
Default exim-using packages - are you relying on -C or -D options?

This one time, at band camp, Ian Jackson said:
> Stephen Gran writes ("Re: exim-using packages - are you relying on -C or -D options?"):
> > This one time, at band camp, Ian Jackson said:
> > > sauce uses the -C option. And chiark's mail system relies on -C very
> > > heavily in other ways. Please don't break it.
> >
> > Can it limit itsef to a choice of two non world-writable directories?
>
> The other config files are in /etc/exim4 just like the main one, if
> that's what you mean.
>
> > That is the only current way to keep a successful break-in to the exim
> > account from escalating to root. There is a patch on exim-dev to allow
> > this to work without escalated privileges, but it's not in the lenny
> > exim.
>
> Are you saying the current exim4 package in lenny-security already has
> the disability you are discussing ?

AIUI, no, not yet. Currently exim will accept -C to any file in any
location. This makes it trivial for an attacker to escalate from exim
to root by making any expansion in the config file run code as a
privileged user. The current alternative is to make exim refuse to
execute if the config file is not in a build-time configured directory.
This is what is being proposed, and if all your other config files are in
the same place, it sounds like this won't cause a problem for you.

The patch I'm talking about allows execution outside of the configured
directory, but without escalated privileges. This would be more
flexible for users testing things, but it doesn't sound like it's
relevant at the moment for your needs.

Cheers,
--
-----------------------------------------------------------------
| ,'`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
 
Old 12-14-2010, 10:21 AM
Peter Samuelson
 
Default exim-using packages - are you relying on -C or -D options?

[Stephen Gran]
> Currently exim will accept -C to any file in any location. This
> makes it trivial for an attacker to escalate from exim to root by
> making any expansion in the config file run code as a privileged
> user. The current alternative is to make exim refuse to execute if
> the config file is not in a build-time configured directory.

...Or just fstat() the file after you open it, to make sure it's owned
by root:root, and !(mode & 002) ? I mean, is there a legitimate case
where this wouldn't be true?

--
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20101214112153.GE13651@p12n.org">http://lists.debian.org/20101214112153.GE13651@p12n.org
 
Old 12-14-2010, 10:28 AM
Håkon Alstadheim
 
Default exim-using packages - are you relying on -C or -D options?

Den 14. des. 2010 12:21, skrev Peter Samuelson:

[Stephen Gran]


Currently exim will accept -C to any file in any location. This
makes it trivial for an attacker to escalate from exim to root by
making any expansion in the config file run code as a privileged
user. The current alternative is to make exim refuse to execute if
the config file is not in a build-time configured directory.


...Or just fstat() the file after you open it, to make sure it's owned
by root:root, and !(mode& 002) ? I mean, is there a legitimate case
where this wouldn't be true?


If you do that please log an error when failing. Scratched my head a few
times over such security-measures. I know, "my bad" but still ...


--
Håkon Alstadheim / N-7510 Skatval / email:hakon@alstadheim.priv.no
tlf: 74 82 60 27 mob: 47 35 39 38
http://alstadheim.priv.no/hakon/
spamtrap: finnesikke@alstadheim.priv.no -- 1 hit& you are out



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4D0754F2.2080901@alstadheim.priv.no">http://lists.debian.org/4D0754F2.2080901@alstadheim.priv.no
 
Old 12-14-2010, 12:34 PM
Ian Jackson
 
Default exim-using packages - are you relying on -C or -D options?

Stephen Gran writes ("Re: exim-using packages - are you relying on -C or -D options?"):
> This one time, at band camp, Ian Jackson said:
> > Are you saying the current exim4 package in lenny-security already has
> > the disability you are discussing ?
>
> AIUI, no, not yet. Currently exim will accept -C to any file in any
> location. This makes it trivial for an attacker to escalate from exim
> to root by making any expansion in the config file run code as a
> privileged user.

Ah, yes, I see.

> The current alternative is to make exim refuse to
> execute if the config file is not in a build-time configured directory.
> This is what is being proposed, and if all your other config files are in
> the same place, it sounds like this won't cause a problem for you.

Right, I think it will be OK for me.

Will it follow symlinks ? If so then the problem isn't that sever.

> The patch I'm talking about allows execution outside of the configured
> directory, but without escalated privileges. This would be more
> flexible for users testing things, but it doesn't sound like it's
> relevant at the moment for your needs.

Indeed.

Thanks,
Ian.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 19719.29274.420376.58323@chiark.greenend.org.uk">h ttp://lists.debian.org/19719.29274.420376.58323@chiark.greenend.org.uk
 
Old 12-14-2010, 12:43 PM
Ian Jackson
 
Default exim-using packages - are you relying on -C or -D options?

Peter Samuelson writes ("Re: exim-using packages - are you relying on -C or -D options?"):
> [Stephen Gran]
> > Currently exim will accept -C to any file in any location. This
> > makes it trivial for an attacker to escalate from exim to root by
> > making any expansion in the config file run code as a privileged
> > user. The current alternative is to make exim refuse to execute if
> > the config file is not in a build-time configured directory.
>
> ...Or just fstat() the file after you open it, to make sure it's owned
> by root:root, and !(mode & 002) ? I mean, is there a legitimate case
> where this wouldn't be true?

Whenever anyone suggests something like this you can be pretty sure
they're doing it wrong. This is no exception.

Ownership of a file does not imply endorsement of its contents. If
you wanted to endorse the contents of a file you would have to put it
in a special location, or perhaps set a set-id bit.

Ian.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 19719.29826.448522.385227@chiark.greenend.org.uk"> http://lists.debian.org/19719.29826.448522.385227@chiark.greenend.org.uk
 

Thread Tools




All times are GMT. The time now is 10:42 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org