Date: Sat, 20 Oct 2001 07:50:25 -0700 (PDT) From: Colin Percival <cperciva@sfu.ca> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/31387: When getuid()=0, mailwrapper should drop priviledges Message-ID: <200110201450.f9KEoPw62995@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 31387 >Category: bin >Synopsis: When getuid()=0, mailwrapper should drop priviledges >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Oct 20 08:00:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Colin Percival >Release: 4.4-RELEASE >Organization: >Environment: >Description: qmail (and possibly other MTAs), for security reasons, use suid mail queuing programs which are not owned by root. This has the apparent advantage that a security hole will not lead to root compromise; however, since root normally sends mail on a daily basis, an attacker could gain root by overwriting the mail queuing program and removing the suid bit. (Similar to the UUCP security hole). >How-To-Repeat: 1. Install qmail. 2. Find a security hole in qmail-queue. 3. Exploit the hole with code which overwrites qmail-queue with your favorite trojan and then removes the suid bit. 4. Wait until `periodic daily` sends an email from uid 0. >Fix: If mailwrapper(8) is run by root, it should drop priviledges, either to 'nobody', or ideally to a user specified in /etc/mail/mailer.conf >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110201450.f9KEoPw62995>