From nobody@FreeBSD.org  Sat Jul 27 10:15:19 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 914E637B400
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 27 Jul 2002 10:15:19 -0700 (PDT)
Received: from www.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4F58343E4A
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 27 Jul 2002 10:15:19 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.4/8.12.4) with ESMTP id g6RHFJOT018417
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 27 Jul 2002 10:15:19 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.4/8.12.4/Submit) id g6RHFJ7w018414;
	Sat, 27 Jul 2002 10:15:19 -0700 (PDT)
Message-Id: <200207271715.g6RHFJ7w018414@www.freebsd.org>
Date: Sat, 27 Jul 2002 10:15:19 -0700 (PDT)
From: Jon <cykyc@yahoo.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Sendmail assumptions in startup scripts may lead to a temporary DoS
X-Send-Pr-Version: www-1.0

>Number:         41054
>Category:       conf
>Synopsis:       Sendmail assumptions in startup scripts may lead to a temporary DoS
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    ceri
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jul 27 10:20:01 PDT 2002
>Closed-Date:    Sun Jun 08 11:03:28 PDT 2003
>Last-Modified:  Sun Jun 08 11:03:28 PDT 2003
>Originator:     Jon
>Release:        FreeBSD 4.6-RC i386
>Organization:
>Environment:
FreeBSD novaV2 4.6-RC FreeBSD 4.6-RC #3: Thu May 16 18:52:21 CDT 2002 root@novaV2:/usr/obj/usr/src/sys/NOVAV2 i386
>Description:
      From /etc/rc, revision 1.212.2.50 (no change in rev 1.314):

# Delete any recovery files that are zero length,
# corrupted, or that have no corresponding backup file.
# Else send mail to the user.
recfile=`awk '/^X-vi-recover-path:/{print $2}' < "${i}"`
if [ -n "${recfile}" -a -s "${recfile}" ]; then
	sendmail -t < "${i}"
else
	rm -f "${i}"
fi


When the sendmail_enable entry in /etc/rc.conf is set at "NONE", recovery files exist in /var/tmp/vi.recover, and the system is rebooting, the system may be delayed during the restart.  This is due to a recovery message trying to be sent to a user within /etc/rc from the 'sendmail -t < "${i}"' entry.   I'm assuming the delay is a function of how many recovery files exist.  This potentially could result in a crude Denial of Service attack if the aforementioned criteria are set, and an entity creates numerous vi recovery files.


>How-To-Repeat:
      1. Set the sendmail_enable entry to "NONE"
      2. Create some vi recovery files as a normal user (start up a session and kill it works easy enough)
      3. Wait for a reboot of the system

>Fix:
      A check against sendmail_enable set to "NONE" to avoid timeouts should be performed within all the startup scripts wherever sendmail is being used.

Issuing a ^C during startup should also stop the delay during a reboot, if at the console.
>Release-Note:
>Audit-Trail:

From: Jon <cykyc@yahoo.com>
To: cykyc@yahoo.com, freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: resend Re: fix:Re: conf/41054: Sendmail assumptions in startup scripts may lead to a temporary DoS
Date: Sat, 10 Aug 2002 06:51:54 -0700 (PDT)

 --0-1272037419-1028987514=:82687
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 sorry about the premature send...
 
 This works to bypass trying to send the user mail for vi recovery
 files.  Attached is the output in case yahoo mangles the lines.
 
 Jon
 
 
 --- rc.orig     Sat Aug 10 08:11:37 2002
 +++ rc  Sat Aug 10 08:20:45 2002
 @@ -799,10 +799,21 @@
 
                         # Delete any recovery files that are zero
 length,
                         # corrupted, or that have no corresponding
 backup file.
 +                       # If sendmail_enable set to NONE, don't
 mail.
                         # Else send mail to the user.
                         recfile=`awk '/^X-vi-recover-path:/{print
 $2}' < "${i}"`
                         if [ -n "${recfile}" -a -s "${recfile}" ];
 then
 +
 +                        case ${sendmail_enable} in
 +                        [Nn][Oo][Nn][Ee])
 +                                echo -n ' sendmail disabled.
 Recovery sessions
 no
 +t sent'
 +                                ;;
 +                       *)
                                 sendmail -t < "${i}"
 +                               ;;
 +                       esac
 +
                         else
                                 rm -f "${i}"
                         fi
 
 
 
 __________________________________________________
 Do You Yahoo!?
 HotJobs - Search Thousands of New Jobs
 http://www.hotjobs.com
 --0-1272037419-1028987514=:82687
 Content-Type: application/octet-stream; name="rc.patch"
 Content-Transfer-Encoding: base64
 Content-Description: rc.patch
 Content-Disposition: attachment; filename="rc.patch"
 
 LS0tIHJjLm9yaWcJU2F0IEF1ZyAxMCAwODoxMTozNyAyMDAyCisrKyByYwlT
 YXQgQXVnIDEwIDA4OjIwOjQ1IDIwMDIKQEAgLTc5OSwxMCArNzk5LDIxIEBA
 CiAKIAkJCSMgRGVsZXRlIGFueSByZWNvdmVyeSBmaWxlcyB0aGF0IGFyZSB6
 ZXJvIGxlbmd0aCwKIAkJCSMgY29ycnVwdGVkLCBvciB0aGF0IGhhdmUgbm8g
 Y29ycmVzcG9uZGluZyBiYWNrdXAgZmlsZS4KKwkJCSMgSWYgc2VuZG1haWxf
 ZW5hYmxlIHNldCB0byBOT05FLCBkb24ndCBtYWlsLgogCQkJIyBFbHNlIHNl
 bmQgbWFpbCB0byB0aGUgdXNlci4KIAkJCXJlY2ZpbGU9YGF3ayAnL15YLXZp
 LXJlY292ZXItcGF0aDove3ByaW50ICQyfScgPCAiJHtpfSJgCiAJCQlpZiBb
 IC1uICIke3JlY2ZpbGV9IiAtYSAtcyAiJHtyZWNmaWxlfSIgXTsgdGhlbgor
 CisgICAgICAgICAgICAgICAgICAgICAgICBjYXNlICR7c2VuZG1haWxfZW5h
 YmxlfSBpbgorICAgICAgICAgICAgICAgICAgICAgICAgW05uXVtPb11bTm5d
 W0VlXSkKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWNobyAt
 biAnIHNlbmRtYWlsIGRpc2FibGVkLiBSZWNvdmVyeSBzZXNzaW9ucyBubwor
 dCBzZW50JyAKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgOzsK
 KwkJCSopCiAJCQkJc2VuZG1haWwgLXQgPCAiJHtpfSIKKwkJCQk7OworCQkJ
 ZXNhYworCiAJCQllbHNlCiAJCQkJcm0gLWYgIiR7aX0iCiAJCQlmaQo=
 
 --0-1272037419-1028987514=:82687--
State-Changed-From-To: open->feedback 
State-Changed-By: jon 
State-Changed-When: Mon Aug 12 11:39:47 PDT 2002 
State-Changed-Why:  
While your proposed solution fixes the problem, it is not a very elegant 
solution.  Sites may have sendmail_enable=NONE, while having the nullclient 
feature in their sendmail.cf.  Theoritically, with this configuration,  
users will be able to receive mail, and no timeout is necessary trying to 
send vi recover mail on bootup.  If using a nullclient sendmail configuration 
fits your site configuration, please try it and let me know the results. 
Otherwise, there's probably another proper set of mta configurations that 
will fix the problem.  If you probive details of your site configuration, 
I'll see if I can help you out. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=41054 
State-Changed-From-To: feedback->closed 
State-Changed-By: ceri 
State-Changed-When: Sun Jun 8 11:03:27 PDT 2003 
State-Changed-Why:  
Feedback timeout (6 months or more). 
I will handle any feedback that this closure generates. 


Responsible-Changed-From-To: freebsd-bugs->ceri 
Responsible-Changed-By: ceri 
Responsible-Changed-When: Sun Jun 8 11:03:27 PDT 2003 
Responsible-Changed-Why:  
Feedback timeout (6 months or more). 
I will handle any feedback that this closure generates. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=41054 
>Unformatted:
