Exim keep environment


So you started to get one of these annoying emails, one every day:

/etc/cron.daily/exim4-base:
LOG: MAIN
  Warning: purging the environment.
 Suggested action: use keep_environment.

Why on the Earth ? Does it mean something ? Is it important ? Is it risky to ignore them ? How do I get rid of them ?

Keep reading.

Why on the Earth ? Does it mean something ?

First, what triggered the apparition of these messages is an update in the exim4 package. If we look at the Changelog, we can see why:

  * SECURITY UPDATE: privilege escalation when used with perl_startup
    - debian/patches/CVE-2016-1531.patch: add new add_environment and
      keep_environment configuration options.
    - debian/patches/CVE-2016-1531-2.patch: don't issue env warning if env
      is empty.
    - debian/patches/CVE-2016-1531-3.patch: store the initial working
      directory, expand $initial_cwd.
    - debian/patches/CVE-2016-1531-4.patch: delay chdir(/) until we opened
      the main config.
    - Add macros MAIN_KEEP_ENVIRONMENT and MAIN_ADD_ENVIRONMENT to set the
      new options. Set "keep_environment =" by default to avoid a runtime
      warning.

In short, there was a security exploit through the use of environment variables, so the decision was to remove all environment variables from exim4 when executing it. However, some scripts called by exim4 (like mail filtering scripts) might need some of them, so there are macros to tell what variable to keep, and what variable to add.

Is it important ? Is it risky to ignore them ?

If you're writing advanced scripts executed from inside exim4, quite likely you already know that. If you aren't however, there's this message that splashes into your face, while you haven't asked for anything, at least you think.

If nothing seems disturbed in your mail (you're still getting your mail, and filters, if any, seem to work), exim4 maintainers decision to remove all environment variables was the right one for you, and all you have to do is get rid of the message so it doesn't pollute your mail / vision of your system.

If something is disturbed, it has to be fixed, which is out of the scope of this article.

How do I get rid of them

By setting exim4 new variable keep_environment to empty. The point is that this is done already in the exim4.conf.template file that ships with the package update. If this isn't done, it may be that you preferred to keep your old exim4.conf.template instead of replacing it with the new one when exim4 update procedure asked you. And if you did that, this may be because you did some changes into exim4.conf.template that you wanted to keep. At that point, you have no other choice than to manually merge your old exim4.conf.template with the new one, which should be exim4.conf.template.dpkg-dist.

But before you do that, perform a check:

$ exim4 -bP >/dev/null

You should see the warning:

LOG: MAIN
  Warning: purging the environment.
 Suggested action: use keep_environment.

Now merge the files by hand (and diff) into exim4.conf.template, and don't forget to backup. If you want only to take the interesting part, from the .dpk-dist, this is it:

.ifdef MAIN_KEEP_ENVIRONMENT
keep_environment = MAIN_KEEP_ENVIRONMENT
.else
# set option to empty value to avoid warning.
keep_environment =
.endif
.ifdef MAIN_ADD_ENVIRONMENT
add_environment = MAIN_ADD_ENVIRONMENT
.endif

However, I recommend to merge everything, since if you don't do it, things will get worse and worse as more updates are performed.

After that, don't forget to rebuild the configuration file since the template file is just that, a template:

$ update-exim4.conf

You can then check that everything went well:

$ exim4 -bP >/dev/null

You shouldn't see the warning any more.

Comments

<comments/>