From owner-freebsd-security Thu Sep 28 12:26:06 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id MAA26112 for security-outgoing; Thu, 28 Sep 1995 12:26:06 -0700 Received: from Root.COM (implode.Root.COM [198.145.90.17]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id MAA26106 ; Thu, 28 Sep 1995 12:26:02 -0700 Received: from corbin.Root.COM (corbin [198.145.90.34]) by Root.COM (8.6.12/8.6.5) with ESMTP id MAA22684; Thu, 28 Sep 1995 12:24:38 -0700 Received: from localhost (localhost [127.0.0.1]) by corbin.Root.COM (8.6.12/8.6.5) with SMTP id MAA01968; Thu, 28 Sep 1995 12:27:13 -0700 Message-Id: <199509281927.MAA01968@corbin.Root.COM> To: torstenb@freebsd.org cc: batie@agora.rdrop.com (Alan Batie), core@freebsd.org, security@freebsd.org Subject: Re: smail patch In-reply-to: Your message of "Thu, 28 Sep 95 18:30:26 BST." From: David Greenman Reply-To: davidg@Root.COM Date: Thu, 28 Sep 1995 12:27:12 -0700 Sender: owner-security@freebsd.org Precedence: bulk >Alan Batie wrote: > >> > the sample configuration files that the smail port installs in >> > /usr/local/lib/smail/ uses /usr/libexec/mail.local for delivery to local >> > mailboxes (see the "local" transport in transports.sample) like sendmail. >> >> That is a solution for that particular problem, but that patch, or something >> similar, still needs to be applied. For example, at work we have /usr/local >> on an file server and use secondary configs for local customizations. Since >> apparently NFS requires a group, there will likely be problems. > >let me quote src/sysdep.c: > >> * NOTE: we assume that setgroups(0, (int *)NULL) has been called >> * to clear out any groups that may erroneously allow access >> * to the file. > >Not clearing the group access list opens a security hole. >I don't have the time to look deeper at the smail sources now. Please >post to comp.mail.smail... > >Sorry, but I won't change something that opens a new security hole... The first group in the group list is special. It is the effective gid of the process. The change to do the setgroups(1, &dummy) is not a security hole. The effective gid is set in various places, and one gid 'slot' must exist for this to work correctly. It is not valid to set the group list to contain no entries; NFS will not work without at least one gid in the list - and worse, FreeBSD will panic because it can't handle this condition. Let me put this another way: If you don't fix the smail port, we *will* have a major security hole as soon as I bring in the Lite-2 changes to setgroups() as it WILL fail with EINVAL for setgroups(0, blah) and since the return status of setgroups is not checked, the entire group list will remain unchanged. Please commit the fix. -DG