Re: [exim] tainted filname issue
On 06/05/2021 02:31, Dan Egli via Exim-users wrote: 20095 LOG: MAIN PANIC DIE 20095 unable to set gid=12 or uid=8 (euid=1002): system filter That's a basic syscall failure. My initial guess would be that your use of symlinks, or maybe of setuid bits on binaries, is the problem. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
Dan Egli via Exim-users (Mi 05 Mai 2021 22:45:34 CEST): > and I THINK it's okay. Problem is that I'm encountering another issue that > prevents me from saying all is well. I have my updated exim binary as > exim_new and the updated config as exim_new.conf, but when I try to submit a > message exim conks out saying I passed a bad or incomplete argument: Try setting the binary name exim_path = … in your new config. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
On 05/05/2021 21:45, Dan Egli via Exim-users wrote: 2021-05-05 14:35:29.708 cwd=/etc/exim 5 args: exim_new -d -bd -C exim_new.conf [much deleted for brevity] 15754 Calling SSL_read(0x5573489f8110, 0x5573489f99a0, 4096) 15758 postfork: daemon-accept-delivery 15758 exec /usr/sbin/exim -C exim_new.conf -d=0xf7795cfd -MCd daemon-accept-delivery -Mc 1leOFn-000466-HW exim abandoned: unknown, malformed, or incomplete option -MCd 15754 SMTP<< QUIT So how do I figure out what the heck is going on here? Exim re-execs itself during message processing. Your new binary is exec'ing your old binary, and assuming it can handle the commandline args it knows about. You can't shuffle binary names like that; sorry. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
Dan Egli via Exim-users (Mi 05 Mai 2021 02:41:38 CEST):
> I just upgraded to 4.94.2, and most everything is working fine. But I'm
> getting an issue on DKIM signings with tainted filename. I looked over the
> list and tried to apply the same fix I've seen used before, but I guess I'm
> not understanding it. Here's my dkim_private_key statement:
>
> dkim_private_key = ${if
> exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\
> {/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}}
>
> So how do I correct this? Thanks!
You didn't run 4.94 before, did you?
The $sender_address_domain is considered tainted. Now (since >= 4.94)
Exim refused to use tainted data for filenames. The "exists" doesn't
de-taint the data. You need to perform a kind of lookup first, to
"clean"/"de-taint" the data.
# determine the domain to be used for signing (use the rfc5322.From
# or schlittermann.de as a fallback
dkim_domain =
${lookup{${domain:${address:$h_from:}}}dsearch{$config_dir/dkim}{$value}{schlittermann.de}}
dkim_selector = ${lookup{$dkim_domain}lsearch{$config_dir/dkim/selector}}
# use the found signing domain and it's selector to get
# the private key
dkim_private_key = $config_dir/dkim/$dkim_domain/$dkim_selector.pem
--
Heiko
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
On 05/05/2021 01:41, Dan Egli via Exim-users wrote:
dkim_private_key = ${if
exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\
{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}}
So how do I correct this?
You look up that domain in a trusted database, so as to obtain a trusted
value. This has to be done in a manner that Exim recognises: obtaining
untainted data that you can use in your expansion.
The "exists" check is not sufficient for this. Replace it with a "dsearch"
lookup, since (currently) your trusted database is the filesystem.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
On 05/05/2021 02:41, Dan Egli via Exim-users wrote:
> dkim_private_key = ${if
> exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\
> {/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}}
That's a classic already searchable on the list... use dsearch like that:
dkim_private_key = ${lookup {${dkim_selector}.${dkim_domain}.pem}
dsearch,ret=full {/etc/mail/domainkeys}}
Greetings, Wolfgang
--
Wolfgang Breyha | https://www.blafasel.at/
Vienna University Computer Center | Austria
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
