From owner-freebsd-bugs Sat Oct 20 8: 0:10 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id ABDBE37B403 for ; Sat, 20 Oct 2001 08:00:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f9KF01H64007; Sat, 20 Oct 2001 08:00:01 -0700 (PDT) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D464B37B401 for ; Sat, 20 Oct 2001 07:50:25 -0700 (PDT) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f9KEoPw62995; Sat, 20 Oct 2001 07:50:25 -0700 (PDT) (envelope-from nobody) Message-Id: <200110201450.f9KEoPw62995@freefall.freebsd.org> Date: Sat, 20 Oct 2001 07:50:25 -0700 (PDT) From: Colin Percival To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: bin/31387: When getuid()=0, mailwrapper should drop priviledges Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 31387 >Category: bin >Synopsis: When getuid()=0, mailwrapper should drop priviledges >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Oct 20 08:00:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Colin Percival >Release: 4.4-RELEASE >Organization: >Environment: >Description: qmail (and possibly other MTAs), for security reasons, use suid mail queuing programs which are not owned by root. This has the apparent advantage that a security hole will not lead to root compromise; however, since root normally sends mail on a daily basis, an attacker could gain root by overwriting the mail queuing program and removing the suid bit. (Similar to the UUCP security hole). >How-To-Repeat: 1. Install qmail. 2. Find a security hole in qmail-queue. 3. Exploit the hole with code which overwrites qmail-queue with your favorite trojan and then removes the suid bit. 4. Wait until `periodic daily` sends an email from uid 0. >Fix: If mailwrapper(8) is run by root, it should drop priviledges, either to 'nobody', or ideally to a user specified in /etc/mail/mailer.conf >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message