From nobody@FreeBSD.org  Sat Oct 20 07:50:26 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id D464B37B401
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 20 Oct 2001 07:50:25 -0700 (PDT)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f9KEoPw62995;
	Sat, 20 Oct 2001 07:50:25 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200110201450.f9KEoPw62995@freefall.freebsd.org>
Date: Sat, 20 Oct 2001 07:50:25 -0700 (PDT)
From: Colin Percival <cperciva@sfu.ca>
To: freebsd-gnats-submit@FreeBSD.org
Subject: When getuid()=0, mailwrapper should drop priviledges
X-Send-Pr-Version: www-1.0

>Number:         31387
>Category:       bin
>Synopsis:       mailwrapper(8): When getuid(2)=0, mailwrapper should drop priviledges
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 20 08:00:01 PDT 2001
>Closed-Date:    
>Last-Modified:  Mon Sep 29 03:35:54 UTC 2008
>Originator:     Colin Percival
>Release:        4.4-RELEASE
>Organization:
>Environment:
>Description:
qmail (and possibly other MTAs), for security reasons, use suid mail queuing programs which are not owned by root.  This has the apparent advantage that a security hole will not lead to root compromise; however, since root normally sends mail on a daily basis, an attacker could gain root by overwriting the mail queuing program and removing the suid bit.  (Similar to the UUCP security hole).
>How-To-Repeat:
1. Install qmail.
2. Find a security hole in qmail-queue.
3. Exploit the hole with code which overwrites qmail-queue with your favorite trojan and then removes the suid bit.
4. Wait until `periodic daily` sends an email from uid 0.
>Fix:
If mailwrapper(8) is run by root, it should drop priviledges, either to 'nobody', or ideally to a user specified in /etc/mail/mailer.conf

>Release-Note:
>Audit-Trail:
>Unformatted:
