Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 683332 - mail-mta/nullmailer-2.2 - system executables owned by nonzero uid: /usr/bin/mailq /usr/sbin/nullmailer-queue
Summary: mail-mta/nullmailer-2.2 - system executables owned by nonzero uid: /usr/bin/m...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Robin Johnson
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-14 19:56 UTC by Francesco Turco
Modified: 2019-10-16 09:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
info.txt (info.txt,5.78 KB, text/plain)
2019-04-14 19:57 UTC, Francesco Turco
Details
build.log (build.log,35.65 KB, text/plain)
2019-04-14 19:57 UTC, Francesco Turco
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Francesco Turco 2019-04-14 19:56:17 UTC
Portage reports the following QA issue when emerging mail-mta/nullmailer-2.2:

 * system executables owned by nonzero uid:
 *   /usr/bin/mailq
 *   /usr/sbin/nullmailer-queue

---------

$ ls -l /usr/bin/mailq /usr/sbin/nullmailer-queue 
-rws--x--x 1 nullmail nullmail 22696 Apr 14 21:52 /usr/bin/mailq
-rws--x--x 1 nullmail nullmail 30952 Apr 14 21:52 /usr/sbin/nullmailer-queue

---------

$ emerge -pv mail-mta/nullmailer
 
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] mail-mta/nullmailer-2.2::gentoo  USE="ssl -test" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB
Comment 1 Francesco Turco 2019-04-14 19:57:21 UTC
Created attachment 572832 [details]
info.txt

emerge --info
Comment 2 Francesco Turco 2019-04-14 19:57:39 UTC
Created attachment 572834 [details]
build.log
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-09-20 17:15:16 UTC
The point of the binaries is to setuid to the nullmail user, and write to the nullmailer directories that way.

I argue that the QA check is wrong in this case.
Comment 4 Michael Haubenwallner gentoo-dev 2019-10-16 09:08:37 UTC
(In reply to Robin Johnson from comment #3)
> The point of the binaries is to setuid to the nullmail user, and write to
> the nullmailer directories that way.
> 
> I argue that the QA check is wrong in this case.

Adding QA to the discussion.