Bug#321462: exim4-config: Issue a warning if CFILEMODE allows
world-read and config file has any hide options
Marc Haber
mh+debian-packages at zugschlus.de
Sat Oct 1 19:44:52 UTC 2005
On Wed, Aug 10, 2005 at 02:09:16PM -0600, Dave wrote:
> This is a quicky that I've barely tested (and used constant directory
> paths/names in), but this should be along those lines (except for the
> case of no configuration files, which I presume is an illegal state)
>
> #in bash:
> cd /etc/exim4
> let MODE=`find .. -printf '0%m&'|sed 's/&$//'`\&0$CFILEMODE
> chmod `printf %o`$MODE /var/lib/exim4/config.autogenerated
Yuck!
I would like to propose the following patch to ue4.conf to add the
requested warnings. Please comment.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
-------------- next part --------------
--- /usr/sbin/update-exim4.conf 2005-08-21 11:48:27.000000000 +0200
+++ update-exim4.conf 2005-10-01 21:43:20.000000000 +0200
@@ -99,6 +99,13 @@
[ "x${dc_localdelivery}" = "x" ] && dc_localdelivery='mail_spool'
[ "x${UPEX4C_comments}" = "x" ] && UPEX4C_comments="${ue4c_keepcomments:-no}"
+# this file has its mode narrowed to the narrowest mode of any input file
+# read, so that we can later complain about a too wide CFILEMODE. This
+# detour is necessary because cat_parts runs in a subshell
+touch ${UPEX4C_outputfile}.mode
+chmod 0777 ${UPEX4C_outputfile}.mode
+READFILEMODE=0777
+
mailname=`cat /etc/mailname | head -n 1`
# add localhost, get rid of spaces and trailing colons
@@ -191,16 +198,19 @@
if [ ! -d "$1" ]; then
errormessage "$0: internal cat_parts called, but $1 does not exist or is not a directory."
fi
+ CP_READFILEMODE=511 # 0777
for file in `run_parts $1`; do
echo "#####################################################"
echo "### $file"
echo "#####################################################"
cat $file
+ CP_READFILEMODE="$(( $READFILEMODE & 0$(find $file -printf %m) ))"
echo
echo "#####################################################"
echo "### end $file"
echo "#####################################################"
done
+ chmod 0$( printf %o $(( $CP_READFILEMODE & 0$(find ${UPEX4C_outputfile}.mode -printf %m) )) ) ${UPEX4C_outputfile}.mode
}
# check whether the file given as argument was modified by the user
@@ -307,8 +317,10 @@
else
LOCALMACROS=""
if [ -e "/etc/exim4/exim4.conf.localmacros" ]; then
- LOCALMACROS="/etc/exim4/exim4.conf.localmacros"
+ LOCALMACROS="/etc/exim4/exim4.conf.localmacros"
+ READFILEMODE="$(( $READFILEMODE & 0$(find $LOCALMACROS -printf %m) ))"
fi
+ READFILEMODE="$(( $READFILEMODE & 0$(find /etc/exim4/exim4.conf.template -printf %m) ))"
cat $LOCALMACROS /etc/exim4/exim4.conf.template | \
removecomments | \
sed -e "s/DEBCONF[^D][^E][^B].*DEBCONF//g" \
@@ -372,7 +384,9 @@
LOCALMACROS=""
if [ -e "/etc/exim4/exim4.conf.localmacros" ]; then
LOCALMACROS="/etc/exim4/exim4.conf.localmacros"
+ READFILEMODE="$(( $READFILEMODE & 0$(find $LOCALMACROS -printf %m) ))"
fi
+ READFILEMODE="$(( $READFILEMODE & 0$(find /etc/exim4/exim4.conf.template -printf %m) ))"
cat $LOCALMACROS /etc/exim4/exim4.conf.template \
| sed -e "s?DEBCONFlocal_domainsDEBCONF?@:${local_domains}?g" \
-e "s?DEBCONFrelay_domainsDEBCONF?${dc_relay_domains}?g" \
@@ -409,4 +423,13 @@
fi
mv -f ${UPEX4C_outputfile}.tmp ${UPEX4C_outputfile}
+if grep -q '^[[:space:]]\+hide' ${UPEX4C_outputfile}; then
+ if [ "$(( 0$CFILEMODE & 044 ))" -ne 0 ]; then
+ errormessage "${UPEX4C_outputfile} contains hide directives, but is readable for group and/or world"
+ fi
+fi
+READFILEMODE="0$(( $READFILEMODE & 0$(find ${UPEX4C_outputfile}.mode -printf %m) ))"
+if [ "$(( 0$CFILEMODE ))" -gt "$READFILEMODE" ]; then
+ errormessage "${UPEX4C_outputfile} contains input from files which have a narrower mode than $CFILEMODE"
+fi
chmod ${CFILEMODE} ${UPEX4C_outputfile}
More information about the Pkg-exim4-maintainers
mailing list