Bug 31387 - mailwrapper(8): When getuid(2)=0, mailwrapper should drop priviledges
Summary: mailwrapper(8): When getuid(2)=0, mailwrapper should drop priviledges
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 4.4-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2001-10-20 16:00 UTC by Colin Percival
Modified: 2018-05-20 23:57 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Colin Percival 2001-10-20 16:00:01 UTC
qmail (and possibly other MTAs), for security reasons, use suid mail queuing programs which are not owned by root.  This has the apparent advantage that a security hole will not lead to root compromise; however, since root normally sends mail on a daily basis, an attacker could gain root by overwriting the mail queuing program and removing the suid bit.  (Similar to the UUCP security hole).

Fix: 

If mailwrapper(8) is run by root, it should drop priviledges, either to 'nobody', or ideally to a user specified in /etc/mail/mailer.conf
How-To-Repeat: 1. Install qmail.
2. Find a security hole in qmail-queue.
3. Exploit the hole with code which overwrites qmail-queue with your favorite trojan and then removes the suid bit.
4. Wait until `periodic daily` sends an email from uid 0.
Comment 1 Baptiste Daroussin freebsd_committer 2014-11-05 06:09:55 UTC
Fixed by r273787
Comment 2 Baptiste Daroussin freebsd_committer 2014-11-05 06:10:27 UTC
Sorry I closed the wrong one :)
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2018-05-20 23:57:05 UTC
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"