#321462 exim4-config: Issue a warning if CFILEMODE allows world-read and config file has any hide options

#321462#5
Date:
2005-08-05 17:18:33 UTC
From:
To:
A warning should be issued if the configuration contains sensitive information
and CFILEMODE allows world-read (and some option isn't suppressing the
warning); such as the presence of any exim options prefixed with "hide", or
perhaps even just the presence of lines such as "mysql_servers" and similar
(in this case, that line is likely to contain a database user/password that
users show not be able to see).

(previous closed bug relevent to this issue: #203320)

It is relatively easy for someone to come along many months later and
alter their configuration to include sensitive information and forget
that these files turn into a /var/log/exim4/config.autogenerated that
may no longer have desirable permissions. Also, people used to
other exim installations or inheriting an already configured system that may
not be familiar with this method of doing the configuration.

#321462#10
Date:
2005-08-05 21:50:32 UTC
From:
To:
* Dave E. Martin:

The presence of such a warning would just give a false sense of
security, I fear.  By is nature, it would be very unreliably.  Even
Exim itself doesn't know in some cases which strings in the
configuration file are passwords, for example.

#321462#15
Date:
2005-08-07 09:02:04 UTC
From:
To:
tags 321462 wontfix
thanks

My thoughts exactly.
                 cu andreas

#321462#22
Date:
2005-08-07 13:09:35 UTC
From:
To:
Greetings
Marc

#321462#27
Date:
2005-08-08 22:25:49 UTC
From:
To:
Exim very clearly documents that "hide" should prefix any options which
are insecure. How hard can it be to see if the generated configuartion
file contains *any* hide directives?

If you are worried about providing a false sense of security, then you
could always just print a notice (don't even worry about trying to
interpret the contents of the config files) that CFILEMODE is world
readable when that is the case:

/etc/init.d/exim4 reload
Reloading exim4 configuration files, notice:
/var/lib/exim4/config.autogenerated produced with permissions 644.

That will be enough of a clue to someone familiar with exim, but NOT
familiar with the behind-the-scenes stuff going on in this particular
implementation, that they may not be done.

The problem as I see it is that a false sense of security is being
provided by the fact that it is not obvious that there is another
configuration file produced based on the files in /etc/exim4/conf.d and
the fact that other exim environments use the split-files idea, but not
the two stage configuration (and the people editing those files assume
that they *are* the files, and *their* permissions are the ones which
apply).

I'm proposing a warning specifically to catch those who have no idea
that they may have an insecure config file, not to reassure those who
are expecting the absence of a warning to automatically believe that
that absence means its secure. (I can write an incorrect program that
passes a compiler with flying colors, does that mean that compiler
warnings and errors are useless and should be done away with?)

#321462#32
Date:
2005-08-09 05:33:57 UTC
From:
To:
I don't like the idea of the script writing that notice on every
reload on the vast majority of installations.

Additionally, since we do not ship a configuration that is in need of
hide directives, I think that somebody who is able to change the exim
configuratio that badly should be able to read the README and notice
our configuration mechanism.

I would be willing to accept a patch that looks at the file
permissions of the input file(s) and give the autogenerated config
file the least common denominator. So, if there is only one file that
is not world readable in the input, the output will at most be 640
automatically. CFILEMODE would have to be included in that least
common denominator as well.

But generating output on update-exim4.conf is something I don't like.

Greetings
Marc

#321462#37
Date:
2005-08-10 20:09:16 UTC
From:
To:
This is a quicky that I've barely tested (and used constant directory
paths/names in), but this should be along those lines (except for the
case of no configuration files, which I presume is an illegal state)

#in bash:
cd /etc/exim4
let MODE=`find .. -printf '0%m&'|sed 's/&$//'`\&0$CFILEMODE
chmod `printf %o`$MODE /var/lib/exim4/config.autogenerated

#321462#42
Date:
2005-08-10 20:11:00 UTC
From:
To:
Oops, that cd should be:

cd /etc/exim4/conf.d

#321462#47
Date:
2005-10-01 19:44:52 UTC
From:
To:
Yuck!

I would like to propose the following patch to ue4.conf to add the
requested warnings. Please comment.

Greetings
Marc

#321462#50
Date:
2005-10-01 19:44:52 UTC
From:
To:
Yuck!

I would like to propose the following patch to ue4.conf to add the
requested warnings. Please comment.

Greetings
Marc

#321462#55
Date:
2010-12-23 01:27:22 UTC
From:
To:
Hi,

what about set the file /var/lib/exim4/config.autogenerated with 0640 privs ?
Or apply fix like suggested by Marc Haber : set the least common denominator of all config files.

In current conf, exim4 can't securely be setup to use a DB (except file DB, like Sqlite).

Thanks,
Olivier B.

#321462#60
Date:
2010-12-23 17:58:47 UTC
From:
To:
On 2010-12-23 Olivier Bonvalet <ob.reportbug@daevel.fr> wrote:
[...]
[...]

That is already supported perfectly well.

ametzler@argenau:~$ man update-exim4.conf | grep -3 CFILEMODE
NOTES
  update-exim4.conf  changes  the  file permissions of the output file to
  the value of the environment variable CFILEMODE. If CFILEMODE  is  nei‐
  ther set in /etc/exim4/update-exim4.conf.conf nor in the environment it
  defaults to 0644.  Change this to 0640 if  you  are  keeping  sensitive
  information (LDAP credentials et. al.) in there.

cu andreas

#321462#65
Date:
2010-12-23 18:33:00 UTC
From:
To:
Le 23/12/2010 18:58, Andreas Metzler a écrit :

arg... thanks ! I missed that part...