Date: Thu, 09 Dec 2010 17:56:10 +0100 From: Alexander Wittig <alexander@wittig.name> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/152962: [PATCH] add OPTIONs for additional safety features Message-ID: <E1PQjms-000EWx-KR@hotzenplotz.wittig.name> Resent-Message-ID: <201012091700.oB9H0Jjl022430@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152962
>Category: ports
>Synopsis: [PATCH] add OPTIONs for additional safety features
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 09 17:00:18 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Alexander Wittig
>Release: FreeBSD 8.2-PRERELEASE amd64
>Organization:
>Environment:
System: FreeBSD hotzenplotz.wittig.name 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #0: Wed Dec 8 22:58:53 CET 2010 root@hotzenplotz.wittig.name:/usr/obj/usr/src/sys/ALEX amd64
>Description:
In the light of recently discovered possible remote root exploits in exim ([1] (German), [2]),
it seems like a good idea to add some of the proposed mitigations to our exim port.
This will add two additional OPTIONs to set the ALT_CONFIG_ROOT_ONLY and DISABLE_D_OPTION
options when building exim (c.f. [3]). These options, together with the defaults in our port,
will close the root privilige escalation discussed in [2] that is otherwise possible
if the exim user is compromised (due to the design of exim).
Additionally, this patch will fix a misspelling that was only fixed partially in a previous
commit, as well as change the description of the ALT_CONFIG_PREFIX option.
This option is labeled entirely wrong right now: If it is NOT set (the default)
it allows to load arbitrary configuration files from anywhere in the file system.
If it is set, it will restrict configuration files to be loaded only from paths
starting with $PREFIX/etc/exim, which is by default only writeable by its owner (root).
However, the current label ("Allow alternate configuration files") suggests the opposite:
If this option is set then more configuration files are allowed.
Default options are not affected, so at this point no bump in port revision is needed.
[1] http://www.heise.de/newsticker/meldung/Moegliche-Root-Luecke-in-Internet-Mailer-Exim-1150444.html
[2] http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
[3] http://www.exim.org/exim-html-current/doc/html/spec_html/ch52.html
>How-To-Repeat:
see above
>Fix:
patch attached
--- exim.patch begins here ---
diff -ruN /usr/ports/mail/exim/Makefile exim/Makefile
--- /usr/ports/mail/exim/Makefile 2010-09-07 04:05:29.000000000 +0200
+++ exim/Makefile 2010-12-09 17:10:29.000000000 +0100
@@ -449,6 +449,14 @@
SEDLIST+= -e 's,^\# (HAVE_IPV6=),\1,'
.endif
+.if defined(WITH_ALT_CONF_ROOT_ONLY)
+SEDLIST+= -e 's,^\# (ALT_CONFIG_ROOT_ONLY=),\1,'
+.endif
+
+.if defined(WITH_DISABLE_D_OPTION)
+SEDLIST+= -e 's,^\# (DISABLE_D_OPTION=),\1,'
+.endif
+
DUMMY_LDFLAGS!= ${ECHO_CMD} ${LDFLAGS} | ${SED} -e 's|-Wl,-rpath|-Wl,-DUMMYrpath|g; s|-rpath|-Wl,-rpath|g; s|-DUMMYrpath|-rpath|g'
pre-everything::
diff -ruN /usr/ports/mail/exim/Makefile.options exim/Makefile.options
--- /usr/ports/mail/exim/Makefile.options 2010-05-05 20:08:18.000000000 +0200
+++ exim/Makefile.options 2010-12-09 17:40:11.000000000 +0100
@@ -35,12 +35,14 @@
SUID = "Install the exim binary suid root"
TLS = "Link against OpenSSL"
-ALT_CONFIG_PREFIX = "Allow alternate configuration files"
+ALT_CONFIG_PREFIX = "Restrict configuration file locations"
+ALT_CONF_ROOT_ONLY = "Drop privileges if run with -C or -D"
AUTH_RADIUS = "Enable radius (RFC 2865) authentication"
AUTH_SASL = "Enable use of Cyrus SASL auth library"
CONTENT_SCAN = "Enable exiscan email content scanner"
DCC = "Enable DCC at ACL support via dccifd"
DEBUG = "Build with debugging symbols"
+DISABLE_D_OPTION = "Disable -D option of exim"
EXIMON = "Build eximon monitor (require XFree86!)"
KAS = "Build with Kaspersky AntiSpam local scan"
MYSQL = "Link against libmysqlclient library"
@@ -49,7 +51,7 @@
READLINE = "Enable readline(3) library"
SASLAUTHD = "Enable use of Cyrus SASL auth daemon"
SA_EXIM = "SA-Exim support"
-SO_1024 = "Build with Spamooborona-1024 local scan"
+SO_1024 = "Build with Spamoborona-1024 local scan"
SPF = "Enable Sender Policy Framework checking"
SQLITE = "Enable SQLite lookups"
SRS = "Enable Sender Rewriting Scheme"
@@ -84,11 +86,13 @@
DISABLED_OPTIONS+= \
ALT_CONFIG_PREFIX \
+ ALT_CONF_ROOT_ONLY \
AUTH_RADIUS \
AUTH_SASL \
CONTENT_SCAN \
DCC \
DEBUG \
+ DISABLE_D_OPTION \
EXIMON \
KAS \
MYSQL \
diff -ruN /usr/ports/mail/exim/options exim/options
--- /usr/ports/mail/exim/options 2010-05-05 20:08:18.000000000 +0200
+++ exim/options 2010-12-09 17:40:27.000000000 +0100
@@ -1,5 +1,6 @@
OPTIONS+= \
- ALT_CONFIG_PREFIX "Allow alternate configuration files" off \
+ ALT_CONFIG_PREFIX "Restrict configuration file locations" off \
+ ALT_CONF_ROOT_ONLY "Drop privileges if run with -C or -D" off \
AUTH_CRAM_MD5 "Enable CRAM-MD5 authentication mechanisms" on \
AUTH_DOVECOT "Enable Dovecot authentication mechanisms" on \
AUTH_PLAINTEXT "Enalbe plaintext authentication" on \
@@ -11,6 +12,7 @@
DAEMON "Install scripts to run as a daemon" on \
DCC "Enable DCC at ACL support via dccifd" off \
DEBUG "Build with debugging symbols" off \
+ DISABLE_D_OPTION "Disable -D option of exim" off \
DNSDB "Enable DNS-style lookups" on \
DSEARCH "Enable directory-list lookups" on \
EMBEDDED_PERL "Enable embedded Perl interpreter" on \
--- exim.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1PQjms-000EWx-KR>