From owner-freebsd-current  Fri Apr 19  9:29:19 2002
Delivered-To: freebsd-current@freebsd.org
Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178])
	by hub.freebsd.org (Postfix) with ESMTP
	id 24D8D37B405; Fri, 19 Apr 2002 09:29:08 -0700 (PDT)
Received: from horsey.gshapiro.net (gshapiro@localhost [127.0.0.1])
	by horsey.gshapiro.net (8.12.3/8.12.3) with ESMTP id g3JGT7mk093497
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Fri, 19 Apr 2002 09:29:07 -0700 (PDT)
Received: (from gshapiro@localhost)
	by horsey.gshapiro.net (8.12.3/8.12.3/Submit) id g3JGT7wb093494;
	Fri, 19 Apr 2002 09:29:07 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15552.17875.373230.467284@horsey.gshapiro.net>
Date: Fri, 19 Apr 2002 09:29:07 -0700
From: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>
To: Doug Barton <DougB@FreeBSD.ORG>
Cc: freebsd-current@FreeBSD.ORG
Subject: Re: Proposal for dealing with sendmail [ug]id bootstrapping
In-Reply-To: <20020419021942.A10172-100000@master.gorean.org>
References: <20020419021942.A10172-100000@master.gorean.org>
X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

DougB> My proposal is simple. Change from using names to numeric [ug]id's
DougB> in mtree, and elsewhere if needed. The plus is that it solves the
DougB> bootstrapping problem. The negatives involve problems with systems
DougB> that don't merge the password and group files, and therefore will
DougB> have directories owned by "weird" users. Another possible difficulty
DougB> involves systems where there are already users with the numeric
DougB> values currently used by sendmail.

This could lead to security problems.  If the UID is already in use by
another user on the system, that user will be able to attack the submission
mail queue causing denial of service and an invasion of privacy.
Furthermore, it won't fix the problem if NO_SENDMAIL=no as it will only
delay the installworld failure until later in the installation process when
the sendmail binary is installed.  Finally, it would leave behind a broken
system for sendmail users.

DougB> Another, although more complex option would be to add code such as
DougB> the following (in pseudocode) to /usr/src/etc/Makefile:

DougB> if ((not grep ^smmsp: /etc/master.passwd) and
DougB>     (not grep ':25:25:' /etc/master.passwd)) then
DougB> 		pw useradd -n smmsp -u 25 -c 'Sendmail Submission User' \
DougB> 		-g 25 -s /sbin/nologin -d /var/spool/clientmqueue

DougB> And repeat for the other two entries. This is more prone to failure,
DougB> since there are more variables. However, at this point I think it
DougB> would be better than nothing.

I agree this is more prone to failure (even your example above has problems
such as just because :25:25: exists, it doesn't mean it belongs to smmsp).
It has some of the same problems as above, namely the possible reuse of an
existing UID.

Although I really would prefer that people who are building from source pay
attention to things like the handbook section on what to do when building
from source:

- section 19.4.1 says to read /usr/src/UPDATING.  This issue is documented
  in that file.
- section 19.4.3 says to update for new users and groups before
  installing.  This issue is documented in the handbook itself.
- section 19.4 says to subscribe to the mailing list for the branch you are
  using.  This issue has been covered multiple times on both the mailing
  lists.

I guess that is too much to ask for.  IMHO, the best solution for that
group of people would be to move the creation of /var/spool/clientmqueue to
a separate mtree file and use it in src/etc/Makefile's distribution target:

.if !defined(NO_SENDMAIL)
	mtree -deU -f ${.CURDIR}/mtree/sendmail.root.dist -p ${DESTDIR}/
.endif

This solves the NO_SENDMAIL case.  For users who are using sendmail, the
users really do need to exist before an installworld for the reasons given
above.  So my solution would be to change the installworld: target in
src/Makefile.inc1:

- installworld:
+ installworld: installcheck

And add the installcheck target:

installcheck:
.if !defined(NO_SENDMAIL)
	@if ! `grep -q ^smmsp: /etc/master.passwd`; then \
		echo "smmsp user missing.  Read /usr/src/UPDATING."; \
		false; \
	fi; \
	if ! `grep -q ^smmsp: /etc/group`; then \
		echo "smmsp group missing.  Read /usr/src/UPDATING."; \
		false; \
	fi
.endif

The installcheck target may be useful for the other checks now and in the
future.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message