From timon@netherworld.ru Fri Jun 28 05:15:44 2002 Return-Path: Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA43D37B400 for ; Fri, 28 Jun 2002 05:15:43 -0700 (PDT) Received: from netherworld.ru (memphis.mephi.ru [194.67.67.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id A426343E06 for ; Fri, 28 Jun 2002 05:15:29 -0700 (PDT) (envelope-from timon@netherworld.ru) Received: from netherworld.ru (localhost [127.0.0.1]) by netherworld.ru (8.12.3/8.12.3) with ESMTP id g5SC81C9049971 for ; Fri, 28 Jun 2002 16:08:01 +0400 (MSD) (envelope-from timon@netherworld.ru) Received: (from timon@localhost) by netherworld.ru (8.12.3/8.12.3/Submit) id g5SC81CR049970; Fri, 28 Jun 2002 16:08:01 +0400 (MSD) Message-Id: <200206281208.g5SC81CR049970@netherworld.ru> Date: Fri, 28 Jun 2002 16:08:01 +0400 (MSD) From: "Artem 'Zazoobr' Ignatjev" Reply-To: "Artem 'Zazoobr' Ignatjev" To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: Sendmail 8.12.3 and `msgs' alias X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 39951 >Category: misc >Synopsis: Sendmail 8.12.3 and `msgs' alias >Confidential: no >Severity: non-critical >Priority: medium >Responsible: gshapiro >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jun 28 05:20:01 PDT 2002 >Closed-Date: Sat Feb 08 11:04:14 PST 2003 >Last-Modified: Sat Feb 08 11:04:14 PST 2003 >Originator: Artem 'Zazoobr' Ignatjev >Release: FreeBSD 4.6-RELEASE i386 >Organization: NetherWorld Ultima Online Server >Environment: System: FreeBSD netherworld.ru 4.6-RELEASE FreeBSD 4.6-RELEASE #0: Fri Jun 14 12:49:08 MSD 2002 root@netherworld.ru:/usr/obj/usr/src/sys/NETHER i386 >Description: `msgs' (1) alias in aliases(5) file doesn't work. After uncommenting corresponding line in aliases(5) file and rebuilding aliases table, trying mailing to `msgs' user results in error:(see log line) Jun 28 15:45:46 netherworld sm-mta[47911]: g5SBjjC9047909: to="| /usr/bin/msgs -s", ctladdr=msgs@netherworld.ru (26/0), delay=00:00:01, xdelay=00:00:00, mailer=prog, pri=30616, dsn=5.3.0, stat=unknown mailer error 13 Jun 28 15:45:46 netherworld sm-mta[47911]: g5SBjjC9047909: g5SBjkC9047911: DSN: unknown mailer error 13 and following in my mailbox: [skip] ------ Transcript of session follows ----- msgs: /var/msgs/bounds: permission denied >How-To-Repeat: uncomment corresponding line in aliases(5) file, run newaliases, then mail(1) msgs user >Fix: Don't know yet, but: replacing `aliases' command with simple script calling 'id | logger', I've got line in logs: Jun 28 15:52:31 netherworld root: uid=26(mailnull) gid=26(mailnull) groups=26(mailnull) while `ls -la /var/msgs/` tells total 5 drwxr-xr-x 2 daemon wheel 512 28 ÉÀÎ 15:48 . drwxr-xr-x 21 root wheel 512 17 ÁÐÒ 12:21 .. -rw-r--r-- 1 root wheel 57 28 ÉÀÎ 15:48 1 -rw-r--r-- 1 root wheel 54 28 ÉÀÎ 15:48 2 -rw-r--r-- 1 root wheel 4 28 ÉÀÎ 15:48 bounds >Release-Note: >Audit-Trail: From: "Artem 'Zazoobr' Ignatjev" To: freebsd-bugs@FreeBSD.org, FreeBSD-gnats-submit@FreeBSD.org Cc: Subject: Re: misc/39951: Sendmail 8.12.3 and `msgs' alias Date: Thu, 11 Jul 2002 15:09:02 +0400 (MSD) On Fri, Jun 28, 2002 at 05:20:01AM -0700, FreeBSD-gnats-submit@FreeBSD.org wrote: > Thank you very much for your problem report. > It has the internal identification `misc/39951'. > The individual assigned to look at your > report is: freebsd-bugs. > > >Category: misc > >Responsible: freebsd-bugs > >Synopsis: Sendmail 8.12.3 and `msgs' alias > >Arrival-Date: Fri Jun 28 05:20:01 PDT 2002 More digging lead me to following hack (msgs will now be suid, so if it can be exploited, that'll be one more hole): I've also noted, that first time BINMODE was set incorrect ( 4755 instead of 4555) ---- Begin patch ---- diff -U 3 -r usr.bin/msgs/Makefile usr.bin/msgs/Makefile --- usr.bin/msgs/Makefile Wed Jul 10 20:44:12 2002 +++ usr.bin/msgs/Makefile Wed Jul 10 20:41:08 2002 @@ -4,5 +4,6 @@ PROG= msgs DPADD= ${LIBTERMCAP} LDADD= -ltermcap +BINMODE= 4555 .include diff -U 3 -r usr.bin/msgs/msgs.c usr.bin/msgs/msgs.c --- usr.bin/msgs/msgs.c Wed Jul 10 20:40:12 2002 +++ usr.bin/msgs/msgs.c Wed Jul 10 20:41:21 2002 @@ -179,7 +179,7 @@ setlocale(LC_ALL, ""); time(&t); - setuid(uid = getuid()); + setuid(uid = geteuid()); ruptible = (signal(SIGINT, SIG_IGN) == SIG_DFL); if (ruptible) signal(SIGINT, SIG_DFL); ---- End patch ---- Directions: apply this standing in source tree root (shake well before using :-) ) Sinceherely yours, Artem 'Zazoobr' Ignatjev. --- Unix is like a wigwam: No windows, no gates and an apache inside. From: Volker Stolz To: freebsd-gnats-submit@FreeBSD.org, timon@netherworld.ru Cc: Subject: Re: misc/39951: Sendmail 8.12.3 and `msgs' alias Date: Fri, 9 Aug 2002 12:19:39 +0200 I've just been bitten by this one, too. It looks as if making /var/msgs owned by smmsp suffices. Cleaning up with `msgs -c' as root from /etc/periodic works, too. I suggest fixing permission /etc/mtree/BSD.var.dist and leaving a comprehensive note for people not using the in-tree sendmail with smmsp. -- "Gemischte Materialien // Früher: Restmüll" Aufschrift auf einem Container, Informatik-Parkplatz http://lambda.foldr.org/~vs/ * PGP * S/MIME Responsible-Changed-From-To: freebsd-bugs->gshapiro Responsible-Changed-By: gshapiro Responsible-Changed-When: Sat Feb 8 10:54:46 PST 2003 Responsible-Changed-Why: Over to sendmail maintainer. http://www.freebsd.org/cgi/query-pr.cgi?pr=39951 State-Changed-From-To: open->closed State-Changed-By: gshapiro State-Changed-When: Sat Feb 8 11:00:33 PST 2003 State-Changed-Why: I've checked in a comment in /etc/mail/aliases for both CURRENT and STABLE which gives users instructions on how to make msgs work properly: # NOTE: /var/msgs and /var/msgs/bounds must be owned by sendmail's # DefaultUser (defaults to mailnull) for the msgs alias to work. # # msgs: "| /usr/bin/msgs -s" I don't want to give msgs any special permissions nor do I want to make the default permissions on /var/msgs allow for program delivery. http://www.freebsd.org/cgi/query-pr.cgi?pr=39951 >Unformatted: