Philip Guenther said:
Weird. The 'S' flag on the local mailer is there for the exact purpose
of having sendmail _not_ run as the sending user in this situation.
Are you sure sendmail is setuid root?
Yup.
-r-sr-sr-x 1 root kmem 655360 Sep 30 19:44 /usr/lib/sendmail
-rwsr-xr-x 1 root bin 90112 Oct 22 13:18 /usr/local/bin/procmail
Here's where the problem stems from - as for who is right and wrong....
In sendmail: deliver.c:
deliver(ENVELOPE *e)
{
.
.
/*XXX this seems a bit wierd */
if (ctladdr == NULL && m != ProgMailer && m != FileMailer &&
bitset(QGOODUID, e->e_from.q_flags))
===> ctladdr = &e->e_from;
.
.
/* reset user id */
if (bitnset(M_SPECIFIC_UID, m->m_flags))
new_euid = m->m_uid;
if (bitset(S_ISUID, stb.st_mode))
new_ruid = stb.st_uid;
===> else if (ctladdr != NULL && ctladdr->q_uid != 0)
===> new_ruid = ctladdr->q_uid;
else if (m->m_uid != 0)
new_ruid = m->m_uid;
else if (!bitnset(M_SPECIFIC_UID, m->m_flags))
new_ruid = DefUid;
if (new_euid != NO_UID)
{
setreuid(new_ruid, new_euid);
}
else if (new_ruid != NO_UID)
{
setuid(new_ruid);
}
.
.
/* try to execute the mailer */
execve(m->m_mailer, (ARGV_T) pv, (ARGV_T) UserEnviron);
}
So what happens is that procmail is exec'd with an effective uid of root but
a real uid of the local sender (ctladdr). BTW, the XXX comment above is really
from the code!
Then in procmail, if (uid != euid) and the uid is not in TRUSTED_IDS, then we
eventually get to the fake warning code.
Hmmm.
--
Mike Spengler Minnesota Supercomputer Center, Inc.
Email: mks(_at_)msc(_dot_)edu 1200 Washington Ave. So.
Phone: +1 612 337 3557 Minneapolis MN 55415
FAX: +1 612 337 3400