83023 – mail-filter/procmail-3.22-r6: doesn't work with restrictive NFS homes

Bug 83023 - mail-filter/procmail-3.22-r6: doesn't work with restrictive NFS homes

Summary: mail-filter/procmail-3.22-r6: doesn't work with restrictive NFS homes

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Net-Mail Packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-02-22 18:57 UTC by Sascha Silbe
Modified:	2005-03-20 11:10 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sascha Silbe 2005-02-22 18:57:39 UTC

mail-filter/procmail-3.22-r6 doesn't read $HOME/.procmailrc if it's $HOME is mounted via NFS with root_squash in effect and uses restrictive permissions (i.e. 0700).
I'm marking this as severity=major since it means procmail is unusable on my system (homedirs are always set to 0700 for privacy reasons).


Reproducible: Always
Steps to Reproduce:
1. chmod 700 /home/sascha
2. echo test|mail -s test sascha@cube.sascha.silbe.org

Actual Results:  
Excerpt of strace on the qmail-lspawn process (that spawns procmail):

2000  setgroups32(17, [100, 4, 10, 11, 16, 18, 19, 20, 1004, 27, 35, 80, 245, 250, 120, 1033, 1037]) = 0
2000  uname({sys="Linux", node="cube", ...}) = 0
2000  stat64("/var/spool/mail/", {st_mode=S_IFDIR|0775, st_size=1024, ...}) = 0
2000  setgid32(12)                      = 0
2000  lstat64("/var/spool/mail/sascha", {st_mode=S_IFREG|0600, st_size=1766896, ...}) = 0
2000  lstat64("/var/spool/mail/sascha.lock", 0xbffffa3c) = -1 ENOENT (No such file or directory)
2000  umask(077)                        = 077
2000  open("/etc/procmailrc", O_RDONLY) = 4
[...]
2000  stat64("/home/sascha/.procmailrc", 0xbffffa3c) = -1 EACCES (Permission denied)
2000  open("/home/sascha/.procmailrc", O_RDONLY) = -1 EACCES (Permission denied)
2000  setuid32(1000)                    = 0

As you see, procmail returns to normal user permissions just _after_ trying to read the personal config file, thus triggering root_squash on the NFS homedir.
It might even be bad security-wise since ~/.procmailrc could be a SymLink to some file readable only by root.



Expected Results:  
Either return to normal user rights as soon as possible (especially before trying to access any user-owned files) or don't install procmail as setuid-root.
BTW: Why is it setuid-root, anyway? It's just a mail filter, after all.


Gentoo Base System version 1.4.16
Portage 2.0.51-r15 (default-linux/x86/2004.0, gcc-3.3.5, glibc-2.3.4.20040808-r1, 2.6.10-infra-r2-cube-1 i686)
=================================================================
System uname: 2.6.10-infra-r2-cube-1 i686 AMD Athlon(tm) XP 1700+
Python:              dev-lang/python-2.3.4-r1 [2.3.4 (#1, Feb  8 2005, 02:37:46)]
distcc 2.16 i586-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.3 [enabled]
dev-lang/python:     2.3.4-r1
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.5, 1.7.9-r1, 1.4_p6, 1.9.4, 1.6.3, 1.8.5-r3
sys-devel/binutils:  2.15.92.0.2-r1
sys-devel/libtool:   1.5.10-r4
virtual/os-headers:  2.6.8.1-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-march=pentium -mcpu=athlon-tbird -O3 -pipe"
CHOST="i586-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /usr/vice/etc /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/afs/C /etc/afs/afsws /etc/afs/modload /etc/gconf /etc/make.globals /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium -mcpu=athlon-tbird -O3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache collision-protect distlocks fixpackages sandbox sfperms strict test userpriv usersandbox"
GENTOO_MIRRORS="ftp://ftp.easynet.nl/mirror/gentoo/ http://gentoo.inode.at/ ftp://gentoo.inode.at/source/"
LANG="en_US"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp/portage"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage-local--main--1.0"
SYNC="rsync://hybrid.sascha.silbe.org/gentoo-portage"
USE="x86 3dnow S3TC X acl afs alsa apm avi bash-completion berkdb bitmap-fonts blas bzlib cdr crypt curl doc dvd dvdr emboss encode f77 fam flac font-server foomaticdb fortran gdbm gif gimpprint gtk gtk2 gtkhtml guile hbci imagemagick imap imlib ipv6 j-noaim j-nomsn j-noyahoo jabber jpeg kerberos lapack lcms libg++ libwww lvm1 mad maildir makecheck mbox mikmod mmx monitor mozsvg mpeg mysql nas ncurses nls nodrm offensive oggvorbis opengl oss pam pdflib plotutils png postgres python qt qtmt quicktime readline samba scanner sdl serial skey spell sqlite sse ssl tetex tiff truetype truetype-fonts type1-fonts unicode xml xml2 xv xvid zlib linguas_en,de"
Unset:  ASFLAGS, CBUILD, CTARGET, LC_ALL, LDFLAGS

Comment 1 Fernando J. Pereda (RETIRED) gentoo-dev

2005-03-05 04:49:44 UTC

> As you see, procmail returns to normal user permissions just _after_ trying to read the personal config file, thus triggering root_squash on the NFS homedir.

Well... this is an UPSTREAM thing.

> Why is it setuid-root, anyway? It's just a mail filter, after all.

maildrop also installs as setuid-root; it is needed to gain user privileges when invoqued with a non-privileged account such as mail.

I don't want to close this as RESOLVED->UPSTREAM; but is more an upstream bug than gentoo-related bug.

Cheers,
Ferdy

Comment 2 Fernando J. Pereda (RETIRED) gentoo-dev

2005-03-20 11:10:38 UTC

This is an upstream bug if it is actually a bug.

Cheers,
Ferdy