Portage reports the following QA issue when emerging mail-mta/nullmailer-2.2: * system executables owned by nonzero uid: * /usr/bin/mailq * /usr/sbin/nullmailer-queue --------- $ ls -l /usr/bin/mailq /usr/sbin/nullmailer-queue -rws--x--x 1 nullmail nullmail 22696 Apr 14 21:52 /usr/bin/mailq -rws--x--x 1 nullmail nullmail 30952 Apr 14 21:52 /usr/sbin/nullmailer-queue --------- $ emerge -pv mail-mta/nullmailer These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] mail-mta/nullmailer-2.2::gentoo USE="ssl -test" 0 KiB Total: 1 package (1 reinstall), Size of downloads: 0 KiB
Created attachment 572832 [details] info.txt emerge --info
Created attachment 572834 [details] build.log
The point of the binaries is to setuid to the nullmail user, and write to the nullmailer directories that way. I argue that the QA check is wrong in this case.
(In reply to Robin Johnson from comment #3) > The point of the binaries is to setuid to the nullmail user, and write to > the nullmailer directories that way. > > I argue that the QA check is wrong in this case. Adding QA to the discussion.
This is still true today. >>> Messages generated by process 140253 on 2021-01-12 11:39:09 CET for package mail-mta/nullmailer-2.2-r1: QA: other system executables owned by nonzero uid: /usr/bin/mailq /usr/sbin/nullmailer-queue QA Notice: Package triggers severe warnings which indicate that it may exhibit random runtime failures. itoa.cc:18:32: warning: array subscript -1 is outside array bounds of 'char [64]' [-Warray-bounds] Please do not file a Gentoo bug and instead report the above QA issues directly to the upstream developers of this software. Homepage: http://untroubled.org/nullmailer/ https://github.com/bruceg/nullmailer
(In reply to Robin Johnson from comment #3) > The point of the binaries is to setuid to the nullmail user, and write to > the nullmailer directories that way. Looks like all relevant directories belong to group nullmail and are writable for that group. Won't it be enough if the binaries were owned by root:nullmail, with their setgid bit set?
I just entered bug #888880, which is another reason why /usr/sbin/nullmailer-queue should have the setgid bit set.