Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 683332 - mail-mta/nullmailer-2.2 - installs system executables owned by nonzero uid: /usr/bin/mailq /usr/sbin/nullmailer-queue
Summary: mail-mta/nullmailer-2.2 - installs system executables owned by nonzero uid: /...
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Robin Johnson
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-14 19:56 UTC by Francesco Turco
Modified: 2024-02-25 20:11 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
info.txt (info.txt,5.78 KB, text/plain)
2019-04-14 19:57 UTC, Francesco Turco
Details
build.log (build.log,35.65 KB, text/plain)
2019-04-14 19:57 UTC, Francesco Turco
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Francesco Turco 2019-04-14 19:56:17 UTC
Portage reports the following QA issue when emerging mail-mta/nullmailer-2.2:

 * system executables owned by nonzero uid:
 *   /usr/bin/mailq
 *   /usr/sbin/nullmailer-queue

---------

$ ls -l /usr/bin/mailq /usr/sbin/nullmailer-queue 
-rws--x--x 1 nullmail nullmail 22696 Apr 14 21:52 /usr/bin/mailq
-rws--x--x 1 nullmail nullmail 30952 Apr 14 21:52 /usr/sbin/nullmailer-queue

---------

$ emerge -pv mail-mta/nullmailer
 
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] mail-mta/nullmailer-2.2::gentoo  USE="ssl -test" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB
Comment 1 Francesco Turco 2019-04-14 19:57:21 UTC
Created attachment 572832 [details]
info.txt

emerge --info
Comment 2 Francesco Turco 2019-04-14 19:57:39 UTC
Created attachment 572834 [details]
build.log
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2019-09-20 17:15:16 UTC
The point of the binaries is to setuid to the nullmail user, and write to the nullmailer directories that way.

I argue that the QA check is wrong in this case.
Comment 4 Michael Haubenwallner (RETIRED) gentoo-dev 2019-10-16 09:08:37 UTC
(In reply to Robin Johnson from comment #3)
> The point of the binaries is to setuid to the nullmail user, and write to
> the nullmailer directories that way.
> 
> I argue that the QA check is wrong in this case.

Adding QA to the discussion.
Comment 5 Adjudicator Darren 2021-01-12 14:36:13 UTC
This is still true today.

>>> Messages generated by process 140253 on 2021-01-12 11:39:09 CET for package mail-mta/nullmailer-2.2-r1:                                                                                     

QA: other
system executables owned by nonzero uid:
  /usr/bin/mailq
  /usr/sbin/nullmailer-queue
QA Notice: Package triggers severe warnings which indicate that it
           may exhibit random runtime failures.
itoa.cc:18:32: warning: array subscript -1 is outside array bounds of 'char [64]' [-Warray-bounds]
Please do not file a Gentoo bug and instead report the above QA
issues directly to the upstream developers of this software.
Homepage: http://untroubled.org/nullmailer/ https://github.com/bruceg/nullmailer
Comment 6 Ulrich Müller gentoo-dev 2021-01-12 17:04:19 UTC
(In reply to Robin Johnson from comment #3)
> The point of the binaries is to setuid to the nullmail user, and write to
> the nullmailer directories that way.

Looks like all relevant directories belong to group nullmail and are writable for that group. Won't it be enough if the binaries were owned by root:nullmail, with their setgid bit set?
Comment 7 Michael Yagliyan 2022-12-29 17:30:48 UTC
I just entered bug #888880, which is another reason why /usr/sbin/nullmailer-queue should have the setgid bit set.