#321462 exim4-config: Issue a warning if CFILEMODE allows world-read and config file has any hide options #321462
- Package:
- exim4-config
- Source:
- exim4
- Submitter:
- Dave E Martin
- Date:
- 2010-12-23 18:36:03 UTC
- Severity:
- wishlist
A warning should be issued if the configuration contains sensitive information and CFILEMODE allows world-read (and some option isn't suppressing the warning); such as the presence of any exim options prefixed with "hide", or perhaps even just the presence of lines such as "mysql_servers" and similar (in this case, that line is likely to contain a database user/password that users show not be able to see). (previous closed bug relevent to this issue: #203320) It is relatively easy for someone to come along many months later and alter their configuration to include sensitive information and forget that these files turn into a /var/log/exim4/config.autogenerated that may no longer have desirable permissions. Also, people used to other exim installations or inheriting an already configured system that may not be familiar with this method of doing the configuration.
* Dave E. Martin: The presence of such a warning would just give a false sense of security, I fear. By is nature, it would be very unreliably. Even Exim itself doesn't know in some cases which strings in the configuration file are passwords, for example.
tags 321462 wontfix
thanks
My thoughts exactly.
cu andreas
Greetings Marc
Exim very clearly documents that "hide" should prefix any options which are insecure. How hard can it be to see if the generated configuartion file contains *any* hide directives? If you are worried about providing a false sense of security, then you could always just print a notice (don't even worry about trying to interpret the contents of the config files) that CFILEMODE is world readable when that is the case: /etc/init.d/exim4 reload Reloading exim4 configuration files, notice: /var/lib/exim4/config.autogenerated produced with permissions 644. That will be enough of a clue to someone familiar with exim, but NOT familiar with the behind-the-scenes stuff going on in this particular implementation, that they may not be done. The problem as I see it is that a false sense of security is being provided by the fact that it is not obvious that there is another configuration file produced based on the files in /etc/exim4/conf.d and the fact that other exim environments use the split-files idea, but not the two stage configuration (and the people editing those files assume that they *are* the files, and *their* permissions are the ones which apply). I'm proposing a warning specifically to catch those who have no idea that they may have an insecure config file, not to reassure those who are expecting the absence of a warning to automatically believe that that absence means its secure. (I can write an incorrect program that passes a compiler with flying colors, does that mean that compiler warnings and errors are useless and should be done away with?)
I don't like the idea of the script writing that notice on every reload on the vast majority of installations. Additionally, since we do not ship a configuration that is in need of hide directives, I think that somebody who is able to change the exim configuratio that badly should be able to read the README and notice our configuration mechanism. I would be willing to accept a patch that looks at the file permissions of the input file(s) and give the autogenerated config file the least common denominator. So, if there is only one file that is not world readable in the input, the output will at most be 640 automatically. CFILEMODE would have to be included in that least common denominator as well. But generating output on update-exim4.conf is something I don't like. Greetings Marc
This is a quicky that I've barely tested (and used constant directory paths/names in), but this should be along those lines (except for the case of no configuration files, which I presume is an illegal state) #in bash: cd /etc/exim4 let MODE=`find .. -printf '0%m&'|sed 's/&$//'`\&0$CFILEMODE chmod `printf %o`$MODE /var/lib/exim4/config.autogenerated
Oops, that cd should be: cd /etc/exim4/conf.d
Yuck! I would like to propose the following patch to ue4.conf to add the requested warnings. Please comment. Greetings Marc
Yuck! I would like to propose the following patch to ue4.conf to add the requested warnings. Please comment. Greetings Marc
Hi, what about set the file /var/lib/exim4/config.autogenerated with 0640 privs ? Or apply fix like suggested by Marc Haber : set the least common denominator of all config files. In current conf, exim4 can't securely be setup to use a DB (except file DB, like Sqlite). Thanks, Olivier B.
On 2010-12-23 Olivier Bonvalet <ob.reportbug@daevel.fr> wrote: [...] [...] That is already supported perfectly well. ametzler@argenau:~$ man update-exim4.conf | grep -3 CFILEMODE NOTES update-exim4.conf changes the file permissions of the output file to the value of the environment variable CFILEMODE. If CFILEMODE is nei‐ ther set in /etc/exim4/update-exim4.conf.conf nor in the environment it defaults to 0644. Change this to 0640 if you are keeping sensitive information (LDAP credentials et. al.) in there. cu andreas
Le 23/12/2010 18:58, Andreas Metzler a écrit : arg... thanks ! I missed that part...