From owner-freebsd-security Fri Apr 30 8:53:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 0670E14F96 for ; Fri, 30 Apr 1999 08:53:15 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id LAA20802; Fri, 30 Apr 1999 11:52:31 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Fri, 30 Apr 1999 11:52:31 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Pedro J. Lobo" Cc: Fernando Schapachnik , freebsd-security@FreeBSD.ORG Subject: Re: Does mail.local need to be setuid-root? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 30 Apr 1999, Pedro J. Lobo wrote: > On Fri, 30 Apr 1999, Fernando Schapachnik wrote: >=20 > >En un mensaje anterior, Robert Watson escribi=F3: > >> On Fri, 30 Apr 1999, Pedro J. Lobo wrote: > >>=20 > >> > As you may see, it is a rather ugly "feature". So, the question is: = does > >> > /usr/libexec/mail.local need to be setuid root? Or, alternatively, c= an I > >> > use /usr/bin/mail as the local mailer? I also administer an alpha wi= th > >> > Tru64 Unix 4.0d and it uses /bin/mail (no setuid/setgid) as the loca= l > >> > mailer. > > > >You can use procmail with doesn't need suid. >=20 > Maybe I give it a try. In the meantime, I've done a few more tests, and I > don't like too much what I've seen. >=20 > I have looked at the mail.local code, and it does a seteuid(2) to the > recipient's UID. So, why does the system allow it to write over quota? >=20 > I've written a small test program, and have found this: if you seteuid() > and open a file for writing, write() or fwrite() calls will fail (that is= , > if the effective user is over quota). But, if you open the file, and call > seteuid() when the file is already open, then you can write as much data > as you want. As mail.local does this (first opens the user's mailbox, the= n > seteuid()'s), the quotas are ignored. >=20 > I think this is a bug, and that quotas should be checked (and applied) > every time you call write() or fwrite() or whatever. Opinions? The credentials used to open a file remain bound to the file object. This is actually very useful, as it means a privileged program can pass access to a file/whatever using the ancillary data feature, etc. Similarly, a=20 setuid program can open a terminal device, say, and then change its uid=20 so that it doesn't have the privilege to open other terminal devices, but still has the first open. But this is clearly a downside if you later want to restrict access. Presumably the answer is to perform the open that delivers the mail *after* the setting of the uid. You'll need to also open the file beforehand to create it if necessary and set ownership, etc. Once you believe delivery will succeed, reopen the file in the restricted environment. Have mail.local return some kind of success/fail to the parent so you can catch race conditions like the user performing rm /var/mail/user between the check and the reopen. Alternatively, a cheap solution that is susceptible to some races would be simply to check if there was room to deliver the message before delivering, and returning a transient error if not. It's conceivable that a user could get a race in there, but that would work only for one message. Robert N Watson=20 robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message