888880 – mail-mta/nullmailer-2.2-r2: setgid bit not set on /usr/sbin/nullmailer-queue

Bug 888880 - mail-mta/nullmailer-2.2-r2: setgid bit not set on /usr/sbin/nullmailer-queue

Summary: mail-mta/nullmailer-2.2-r2: setgid bit not set on /usr/sbin/nullmailer-queue

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Robin Johnson

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-12-29 17:20 UTC by Michael Yagliyan
Modified:	2022-12-30 03:55 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
brief program to simulate how nullmailer-queue opens adminaddr file (readfile.c,456 bytes, text/x-csrc) 2022-12-29 17:28 UTC, Michael Yagliyan	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Yagliyan 2022-12-29 17:20:42 UTC

I want to use the "adminaddr" control file (i.e. /etc/nullmailer/adminaddr), so I created it, changed its group to nullmail (like the "remotes" control file), and chmod'ed it to 640. I did this because I consider the e-mail address to be sensitive information.

However when I use the mail command to send something to "root", and thereby use the default address defined in the "adminaddr" file, the command fails with a vague error message. I had to run mail with strace capturing all forked process info (strace -o mail_strace -ff -y --string-limit=128 mail ...) to determine it was the nullmailer-queue process which was failing when it tried to open the "adminaddr" file for reading. (And technically that file is always read, so mail fails even when sending to a fully-qualified recipient address.)

/usr/sbin/nullmailer-queue is installed with owner nullmail, group nullmail, and permissions 4711 (setuid bit but not setgid bit), see:
https://gitweb.gentoo.org/repo/gentoo.git/tree/mail-mta/nullmailer/nullmailer-2.2-r2.ebuild#n109

To be honest I was a little surprised by this problem, since nullmailer-queue is running as group root (GID and Effective GID are 0) I assumed it should have access to everything even if it's Effective UID isn't root, but I guess that's not how it works (need to brush up on my UNIX permissions).

Reproducible: Always

Steps to Reproduce:
1. Become root
2. echo "your-email@example.com" >/etc/nullmailer/adminaddr
3. chgrp nullmail /etc/nullmailer/adminaddr
4. chmod 640 /etc/nullmailer/adminaddr
5. mail --subject=Test -- root <<<''
Actual Results:
Get output "mail: cannot send message: Process exited with a non-zero status", e-mail isn't sent.

Expected Results:
No output, and e-mail is sent.

Comment 1 Michael Yagliyan 2022-12-29 17:28:04 UTC

Created attachment 845664 [details]
brief program to simulate how nullmailer-queue opens adminaddr file

Attached readfile.c to simulate how nullmailer-queue opens /etc/nullmailer/adminaddr but print more info about what is happening.

Steps to reproduce exactly my scenario (as root):
1. gcc -o readfile readfile.c
2. chmod 4711 readfile
3. chown nullmail:nullmail readfile
4. echo "my-email@example.com" >/etc/nullmailer/adminaddr
5. chmod 640 /etc/nullmailer/adminaddr
6. chown root:nullmail /etc/nullmailer/adminaddr
7. ./readfile

Comment 2 Michael Yagliyan 2022-12-29 17:44:29 UTC

I noticed bug #683332, which maybe provides more reason to have the setgid bit set.