31387 – mailwrapper(8): When getuid(2)=0, mailwrapper should drop priviledges

Bug 31387 - mailwrapper(8): When getuid(2)=0, mailwrapper should drop priviledges

Summary: mailwrapper(8): When getuid(2)=0, mailwrapper should drop priviledges

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	4.4-RELEASE
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2001-10-20 16:00 UTC by Colin Percival
Modified:	2018-05-20 23:57 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Colin Percival 2001-10-20 16:00:01 UTC

qmail (and possibly other MTAs), for security reasons, use suid mail queuing programs which are not owned by root.  This has the apparent advantage that a security hole will not lead to root compromise; however, since root normally sends mail on a daily basis, an attacker could gain root by overwriting the mail queuing program and removing the suid bit.  (Similar to the UUCP security hole).

Fix: 

If mailwrapper(8) is run by root, it should drop priviledges, either to 'nobody', or ideally to a user specified in /etc/mail/mailer.conf
How-To-Repeat: 1. Install qmail.
2. Find a security hole in qmail-queue.
3. Exploit the hole with code which overwrites qmail-queue with your favorite trojan and then removes the suid bit.
4. Wait until `periodic daily` sends an email from uid 0.

Comment 1 Baptiste Daroussin freebsd_committer

2014-11-05 06:09:55 UTC

Fixed by r273787

Comment 2 Baptiste Daroussin freebsd_committer

2014-11-05 06:10:27 UTC

Sorry I closed the wrong one :)

Comment 3 Eitan Adler freebsd_committer

2018-05-20 23:57:05 UTC

For bugs matching the following conditions:
- Status == In Progress
- Assignee == "bugs@FreeBSD.org"
- Last Modified Year <= 2017

Do
- Set Status to "Open"