[prev in list] [next in list] [prev in thread] [next in thread] 

List:       exim-users
Subject:    Re: [Exim] Security
From:       Philip Hazel <ph10 () cus ! cam ! ac ! uk>
Date:       2000-10-31 8:44:21
[Download RAW message or body]

On Mon, 30 Oct 2000, Marilyn Davis wrote:

> My first task is to write a little paper proposing election software
> based on free software.  In the paper I want to say that there has
> been no security bugs logged against exim in ..... length of time.
> Can anyone tell me that?  Or tell me what I can say truthfully about
> the security of exim?

AFAIK, there has never been a security bug for an exposure to an 
external user. There have been some for exposures to internal users, 
that is, users logged in to the host which is running Exim. That does 
not, of course, mean that there are no lurking bugs!

  1. Back in 1.62 there was a potential buffer overrun in the code for
  :include: files. This was fixed in 1.70 (released August, 1997).
  
  2. More recently, it has been pointed out that passwords (for things 
  like mysql) that are specified in the configuration file are exposed to
  local users via the -bP options. A means of hiding certain settings is
  implemented in the testing releases and will be in the next release.
  
  3. Also recently, it has been pointed out that the -be option can allow 
  unprivileged users to read files they should not be able to. This is 
  also fixed in the next release.
  
  4. What have I forgotten? Anybody remember any more?
  
People have said several times that there should be a security audit. I 
entirely agree, but if anybody has done one, they have not published the 
results, to my knowledge. 

I have learned a lot about these issues since I started to write Exim. I 
now finally understand why seteuid() is such a bad idea, even in the 
relatively "minor" way that Exim uses it. Once the next release is out
the door (by the end of the year) I am going to write a "white paper"
about future directions, and one of the things in it will be a proposal
to remove the use of seteuid() altogether (currently it is used give up
privilege temporarily (a) while directing/routing (b) while running user
filters and (c) while doing some require_files checks).

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@cus.cam.ac.uk      Cambridge, England. Phone: +44 1223 334714.

[prev in list] [next in list] [prev in thread] [next in thread]