Bug 31387

Summary:	mailwrapper(8): When getuid(2)=0, mailwrapper should drop priviledges
Product:	Base System	Reporter:	Colin Percival <cperciva>
Component:	bin	Assignee:	freebsd-bugs (Nobody) <bugs>
Status:	Open ---
Severity:	Affects Only Me
Priority:	Normal
Version:	4.4-RELEASE
Hardware:	Any
OS:	Any

Description Colin Percival 2001-10-20 16:00:01 UTC

qmail (and possibly other MTAs), for security reasons, use suid mail queuing programs which are not owned by root.  This has the apparent advantage that a security hole will not lead to root compromise; however, since root normally sends mail on a daily basis, an attacker could gain root by overwriting the mail queuing program and removing the suid bit.  (Similar to the UUCP security hole).

Fix: 

If mailwrapper(8) is run by root, it should drop priviledges, either to 'nobody', or ideally to a user specified in /etc/mail/mailer.conf
How-To-Repeat: 1. Install qmail.
2. Find a security hole in qmail-queue.
3. Exploit the hole with code which overwrites qmail-queue with your favorite trojan and then removes the suid bit.
4. Wait until `periodic daily` sends an email from uid 0.

Comment 1 Baptiste Daroussin freebsd_committer

2014-11-05 06:09:55 UTC

Fixed by r273787

Comment 2 Baptiste Daroussin freebsd_committer

2014-11-05 06:10:27 UTC

Sorry I closed the wrong one :)

Comment 3 Eitan Adler freebsd_committer

2018-05-20 23:57:05 UTC

For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"