Hi mailing list, We have an external tool for checking user authentication, but running it seems to be labelled as tainted inconsistently after upgrading to 4.96.
Here is our PLAIN auth: plain: driver = plaintext public_name = PLAIN server_prompts = : server_condition = ${run,preexpand{/usr/bin/eximpassword "--localpart=${local_part:$2}" "--hostname=${domain:$2}" "--password=${rxquote:$3}"}{yes}{no}} server_set_id = $2 server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} This results in a failure to run as apparently the path is tainted even though it is hard coded: 722716 plain authenticator server_condition: 722716 $auth1 = 722716 $auth2 = u...@example.com 722716 $auth3 = Password! 722716 $1 = 722716 $2 = u...@example.com 722716 $3 = Password! 722716 direct command: 722716 argv[0] = '/usr/bin/eximpassword' 722716 argv[1] = '--localpart=user' 722716 argv[2] = '--hostname=example.com' 722716 argv[3] = '--password=Password!' 722716 LOG: MAIN PANIC 722716 Attempt to exec tainted path: '/usr/bin/eximpassword' 722716 expansion failed: couldn't create child process: Operation not permitted However, and here's where things get confusing, here is our LOGIN auth where we run an **identical** command: login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = ${run,preexpand{/usr/bin/eximpassword "--localpart=${local_part:$1}" "--hostname=${domain:$1}" "--password=${rxquote:$2}"}{yes}{no}} server_set_id = $1 server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} This works, as if untainted: 723062 login authenticator server_condition: 723062 $auth1 = u...@example.com 723062 $auth2 = Password! 723062 $1 = u...@example.com 723062 $2 = Password! 723062 direct command: 723062 argv[0] = '/usr/bin/eximpassword' 723062 argv[1] = '--localpart=user' 723062 argv[2] = '--hostname=example.com' 723062 argv[3] = '--password=Password!' 723062 daemon-accept forking for expand-run 723062 daemon-accept forked for expand-run: 723068 723068 postfork: expand-run 723062 expanded string: yes 723062 SMTP>> 235 Authentication succeeded The documentation on https://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html#SECID82 doesn't seem to cover how ${run} is checked for taint during expansion. Why are seemingly identical commands inconsistently marked as tainted? Is this a bug please? If it's by design is there any more documentation about how ${run} is expanded please? Thanks in advance, -- Andrew. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/