procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Bug in DROPPRIVS w/r/t gid?

1998-08-18 21:47:47
from [John D. Hardin] [Permanent Link] 
On Tue, 18 Aug 1998, Philip Guenther wrote:


"John D. Hardin" <jhardin(_at_)wolfenet(_dot_)com> writes:

I've gotten the following problem report from an admin running my
perl-based MIME sanitizer: whenever mail to one of the wheel group users
is received, perl complains about being run setuid.


Can you have the reporting admin answer the following questions?


I'll cc this reply to him.


What are the permissions and ownerships (user and group) of the mail
spool directory and the procmail binary, and how is procmail being
called?  (If it's being called as the local mailer from sendmail, what
is the output of
      sendmail -odi -d11.2 -f root some_group_wheel_user < /dev/null
?)  Finally, what is the output of
      grep gid /path/to/compiled/procmail/sources/autoconf.h
?

As a possible quick blind-guess solution, if the spool directory is
world writable then make procmail *not* setgid.  That _might_ work.


Here's the /etc/procmailrc:

 SHELL=/bin/ksh
 DROPPRIVS=YES
 LOGFILE=$HOME/procmail.log
 PATH="/usr/local/bin;/usr/bin;$PATH"


This isn't causing the problem with perl, but those semicolons should be
colons.


D'oh! I didn't even see that. {grabs Visine}


 LOG=`id`
 INCLUDERC=/etc/procmail/html-trap.procmail
 LOGFILE=/dev/null

And here's the first bit of the log, neatened up a bit:

 uid=968(cyber) gid=0(wheel) egid=100(user) groups=100(user), 0(wheel),
   6(uucp), 20(staff), 101(shell)
 Sanitizing MIME attachment headers in "test" from David Monk
   <cyber(_at_)ns(_dot_)vantek(_dot_)net> to cyber
 No -e allowed in setuid scripts.
 procmail: Program failure (255) of " perl -p -e '       #\

The gid/egid discrepancy is triggering the setuid warning. Shouldn't the
gid also be 100 after DROPPRIVS?


Yes, assuming the platform has reasonable saved group id semantics.
(Hint: most screw this up.  Even BSD 4.4 and POSIX miffed this.)
Procmail may need to switch gids in order to dotlock the mailspool.


--
 John Hardin KA7OHZ                               
jhardin(_at_)wolfenet(_dot_)com
 pgpk -a finger://gonzo.wolfenet.com/jhardin    PGP key ID: 0x41EA94F5
 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
-----------------------------------------------------------------------
  Your mouse has moved. Windows NT must be restarted for the change
  to take effect. Reboot now?  [ OK ]
-----------------------------------------------------------------------
   68 days until Daylight Savings Time ends
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: tcsh, Volker Kuhlmann
Next by Date:  Re: tcsh, Colin J. Raven
Previous by Thread:  Re: Bug in DROPPRIVS w/r/t gid?, Philip Guenther
Next by Thread:  help with a recipe, Marcelo B. Ribeiro
Indexes:  [Date] [Thread] [Top] [All Lists]