Bug 31387 - mailwrapper(8): When getuid(2)=0, mailwrapper should drop priviledges
Summary: mailwrapper(8): When getuid(2)=0, mailwrapper should drop priviledges
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 4.4-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
Depends on:
Reported: 2001-10-20 16:00 UTC by Colin Percival
Modified: 2018-05-20 23:57 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Colin Percival 2001-10-20 16:00:01 UTC
qmail (and possibly other MTAs), for security reasons, use suid mail queuing programs which are not owned by root.  This has the apparent advantage that a security hole will not lead to root compromise; however, since root normally sends mail on a daily basis, an attacker could gain root by overwriting the mail queuing program and removing the suid bit.  (Similar to the UUCP security hole).


If mailwrapper(8) is run by root, it should drop priviledges, either to 'nobody', or ideally to a user specified in /etc/mail/mailer.conf
How-To-Repeat: 1. Install qmail.
2. Find a security hole in qmail-queue.
3. Exploit the hole with code which overwrites qmail-queue with your favorite trojan and then removes the suid bit.
4. Wait until `periodic daily` sends an email from uid 0.
Comment 1 Baptiste Daroussin freebsd_committer 2014-11-05 06:09:55 UTC
Fixed by r273787
Comment 2 Baptiste Daroussin freebsd_committer 2014-11-05 06:10:27 UTC
Sorry I closed the wrong one :)
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2018-05-20 23:57:05 UTC
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

- Set Status to "Open"