Re: [exim-dev] Exim and SELinux

On Wed, 2005-02-23 at 17:21 +0000, David Woodhouse wrote:
>AFAICT there's only really two at the moment -- there's the unprivileged
>mode where we only really need access to the spool directory, and the
>mode we use for delivery, where we need to be able to write to users'
>files. At http://david.woodhou.se/exim-4.50-selinux.patch there's a
>patch which attempts to do this. If there are more personalities which I
>should have distinguished between, we can fix that. Do we need a
>separate binary to have privileges to listen on port 25? 

The same patch would probably allow us to run /usr/sbin/exim without the
setuid root -- it could be setugid exim.exim, and the privileged Exim
binary could be setuid root but executable only by the Exim group.

I'm including it inline now that Evolution will actually let me do so
without crashing...

It would be nice if we could reduce the use of the privileged binary. At
the moment we use it for all deliveries from the queue. A quick hack
would be to try a delivery without privs, and restart that delivery from
scratch with the privileged binary if we need to -- but I'm not sure I
like that much.

--- exim-4.50/src/transport.c~	2005-02-17 14:49:11.000000000 +0000
+++ exim-4.50/src/transport.c	2005-02-23 16:30:18.000000000 +0000
@@ -1558,7 +1558,7 @@ if ((pid = fork()) == 0)
   /* Set up the calling arguments; use the standard function for the basics,
   but we have a number of extras that may be added. */
 
-  argv = child_exec_exim(CEE_RETURN_ARGV, TRUE, &i, FALSE, 0);
+  argv = child_exec_exim(CEE_RETURN_ARGV, FALSE, TRUE, &i, FALSE, 0);
 
   if (smtp_authenticated) argv[i++] = US"-MCA";
 
--- exim-4.50/src/child.c~	2005-02-17 14:49:11.000000000 +0000
+++ exim-4.50/src/child.c	2005-02-23 16:27:54.000000000 +0000
@@ -69,8 +69,8 @@ Returns:         if CEE_RETURN_ARGV is g
 */
 
 uschar **
-child_exec_exim(int exec_type, BOOL kill_v, int *pcount, BOOL minimal,
-  int acount, ...)
+child_exec_exim(int exec_type, BOOL privileged, BOOL kill_v, int *pcount, 
+  BOOL minimal, int acount, ...)
 {
 int first_special = -1;
 int n = 0;
@@ -81,7 +81,8 @@ uschar **argv =
 /* In all case, the list starts out with the path, any macros, and a changed
 config file. */
 
-argv[n++] = exim_path;
+argv[n++] = privileged?exim_path_privileged:exim_path;
+
 if (clmacro_count > 0)
   {
   memcpy(argv + n, clmacros, clmacro_count * sizeof(uschar *));
@@ -204,11 +205,11 @@ if (pid == 0)
   close(pfd[pipe_write]);
   if (debug_fd > 0) force_fd(debug_fd, 2);
   if (bounce_sender_authentication != NULL)
-    child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 8,
+    child_exec_exim(CEE_EXEC_EXIT, FALSE, FALSE, NULL, FALSE, 8,
       US"-t", US"-oem", US"-oi", US"-f", US"<>", US"-oMas",
       bounce_sender_authentication, message_id_option);
   else
-    child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 6,
+    child_exec_exim(CEE_EXEC_EXIT, FALSE, FALSE, NULL, FALSE, 6,
       US"-t", US"-oem", US"-oi", US"-f", US"<>", message_id_option);
   /* Control does not return here. */
   }
--- exim-4.50/src/globals.h~	2005-02-22 20:40:26.000000000 +0000
+++ exim-4.50/src/globals.h	2005-02-23 16:18:27.000000000 +0000
@@ -285,6 +285,7 @@ extern int     errors_sender_rc;       /
 extern gid_t   exim_gid;               /* To be used with exim_uid */
 extern BOOL    exim_gid_set;           /* TRUE if exim_gid set */
 extern uschar *exim_path;              /* Path to exec exim */
+extern uschar *exim_path_privileged;   /* Path to exec exim with elevated privileges */
 extern uid_t   exim_uid;               /* Non-root uid for exim */
 extern BOOL    exim_uid_set;           /* TRUE if exim_uid set */
 extern int     expand_forbid;          /* RDO flags for forbidding things */
--- exim-4.50/src/readconf.c~	2005-02-22 20:40:26.000000000 +0000
+++ exim-4.50/src/readconf.c	2005-02-23 16:26:10.000000000 +0000
@@ -201,6 +201,7 @@ static optionlist optionlist_config[] = 
   { "errors_reply_to",          opt_stringptr,   &errors_reply_to },
   { "exim_group",               opt_gid,         &exim_gid },
   { "exim_path",                opt_stringptr,   &exim_path },
+  { "exim_path_privileged",     opt_stringptr,   &exim_path_privileged },
   { "exim_user",                opt_uid,         &exim_uid },
   { "extra_local_interfaces",   opt_stringptr,   &extra_local_interfaces },
   { "extract_addresses_remove_arguments", opt_bool, &extract_addresses_remove_arguments },
@@ -2898,6 +2899,11 @@ if (smtp_ratelimit_rcpt != NULL)
     &smtp_rlr_base, &smtp_rlr_factor, &smtp_rlr_limit);
   }
 
+/* If exim_path_privileged isn't explicitly set, it's the same as exim_path */
+
+if (exim_path_privileged == NULL)
+  exim_path_privileged = exim_path;
+
 /* The qualify domains default to the primary host name */
 
 if (qualify_domain_sender == NULL)
--- exim-4.50/src/globals.c~	2005-02-22 20:40:26.000000000 +0000
+++ exim-4.50/src/globals.c	2005-02-23 16:25:17.000000000 +0000
@@ -491,6 +491,7 @@ gid_t   exim_gid               = EXIM_GI
 BOOL    exim_gid_set           = TRUE;          /* This gid is always set */
 uschar *exim_path              = US BIN_DIRECTORY "/exim"
                         "\0<---------------Space to patch exim_path->";
+uschar *exim_path_privileged   = NULL;
 uid_t   exim_uid               = EXIM_UID;
 BOOL    exim_uid_set           = TRUE;          /* This uid is always set */
 int     expand_forbid          = 0;
--- exim-4.50/src/daemon.c~	2005-02-17 14:49:11.000000000 +0000
+++ exim-4.50/src/daemon.c	2005-02-23 16:28:21.000000000 +0000
@@ -621,7 +621,7 @@ if (pid == 0)
         if (geteuid() != root_uid && !deliver_drop_privilege)
           {
           signal(SIGALRM, SIG_DFL);
-          (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 2, US"-Mc",
+          (void)child_exec_exim(CEE_EXEC_PANIC, TRUE, FALSE, NULL, FALSE, 2, US"-Mc",
             message_id);
           /* Control does not return here. */
           }
@@ -1636,7 +1636,7 @@ for (;;)
           if (queue_run_local) *p++ = 'l';
           *p = 0;
 
-          (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, TRUE, 1, opt);
+          (void)child_exec_exim(CEE_EXEC_PANIC, TRUE, FALSE, NULL, TRUE, 1, opt);
           /* Control never returns here. */
           }
 
--- exim-4.50/src/exim.c~	2005-02-17 14:49:11.000000000 +0000
+++ exim-4.50/src/exim.c	2005-02-23 16:29:34.000000000 +0000
@@ -4698,7 +4698,7 @@ while (more)
 
       if (geteuid() != root_uid && !deliver_drop_privilege && !unprivileged)
         {
-        (void)child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 2, US"-Mc",
+	  (void)child_exec_exim(CEE_EXEC_EXIT, TRUE, FALSE, NULL, FALSE, 2, US"-Mc",
           message_id);
         /* Control does not return here. */
         }
--- exim-4.50/src/smtp_in.c~	2005-02-17 14:49:11.000000000 +0000
+++ exim-4.50/src/smtp_in.c	2005-02-23 16:29:54.000000000 +0000
@@ -3423,7 +3423,7 @@ while (done <= 0)
         break;
         }
       etrn_command = US"exim -R";
-      argv = child_exec_exim(CEE_RETURN_ARGV, TRUE, NULL, TRUE, 2, US"-R",
+      argv = child_exec_exim(CEE_RETURN_ARGV, FALSE, TRUE, NULL, TRUE, 2, US"-R",
         smtp_data);
       }
 
--- exim-4.50/src/functions.h~	2005-02-17 14:49:11.000000000 +0000
+++ exim-4.50/src/functions.h	2005-02-23 16:33:17.000000000 +0000
@@ -52,7 +52,7 @@ extern int     auth_get_no64_data(uschar
 extern uschar *auth_xtextencode(uschar *, int);
 extern int     auth_xtextdecode(uschar *, uschar **);
 
-extern uschar **child_exec_exim(int, BOOL, int *, BOOL, int, ...);
+extern uschar **child_exec_exim(int, BOOL, BOOL, int *, BOOL, int, ...);
 extern pid_t   child_open_uid(uschar **, uschar **, int, uid_t *, gid_t *,
                  int *, int *, uschar *, BOOL);
 



-- 
dwmw2
This archive was generated by a fusion of Pipermail 0.09 (Mailman edition) and MHonArc 2.6.8.