Bug 1071: fix delivery logging with untrusted macros.

If dropping privileges for untrusted macros, we disabled normal logging
on the basis that it would fail; for the Exim run-time user, this is not
the case, and it resulted in successful deliveries going unlogged.
Fixed.  Reported by Andreas Metzler.

2 files changed, 12 insertions, 2 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 4c35fb6d1..b18bc053e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -40,6 +40,12 @@ PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a
 PP/05 Bugzilla 1041: merged DCC maintainer's fixes for return code.
       (Wolfgang Breyha)
 
+PP/06 Bugzilla 1071: fix delivery logging with untrusted macros.
+      If dropping privileges for untrusted macros, we disabled normal logging
+      on the basis that it would fail; for the Exim run-time user, this is not
+      the case, and it resulted in successful deliveries going unlogged.
+      Fixed.  Reported by Andreas Metzler.
+
 
 Exim version 4.73
 -----------------
diff --git a/src/src/exim.c b/src/src/exim.c
index f1c3199c3..e23697506 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -3338,9 +3338,13 @@ if ((                                            /* EITHER */
   and should be used for any logging information because attempts to write
   to the log will usually fail. To arrange this, we unset really_exim. However,
   if no stderr is available there is no point - we might as well have a go
-  at the log (if it fails, syslog will be written). */
+  at the log (if it fails, syslog will be written).
 
-  if (log_stderr != NULL) really_exim = FALSE;
+  Note that if the invoker is Exim, the logs remain available. Messing with
+  this causes unlogged successful deliveries.  */
+
+  if ((log_stderr != NULL) && (real_uid != exim_uid))
+    really_exim = FALSE;
   }
 
 /* Privilege is to be retained for the moment. It may be dropped later,