qmail (and possibly other MTAs), for security reasons, use suid mail queuing programs which are not owned by root. This has the apparent advantage that a security hole will not lead to root compromise; however, since root normally sends mail on a daily basis, an attacker could gain root by overwriting the mail queuing program and removing the suid bit. (Similar to the UUCP security hole).
If mailwrapper(8) is run by root, it should drop priviledges, either to 'nobody', or ideally to a user specified in /etc/mail/mailer.conf
How-To-Repeat: 1. Install qmail.
2. Find a security hole in qmail-queue.
3. Exploit the hole with code which overwrites qmail-queue with your favorite trojan and then removes the suid bit.
4. Wait until `periodic daily` sends an email from uid 0.
Fixed by r273787
Sorry I closed the wrong one :)
For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017
- Set Status to "Open"