Date: Fri, 19 Apr 2002 09:29:07 -0700 From: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG> To: Doug Barton <DougB@FreeBSD.ORG> Cc: freebsd-current@FreeBSD.ORG Subject: Re: Proposal for dealing with sendmail [ug]id bootstrapping Message-ID: <15552.17875.373230.467284@horsey.gshapiro.net> In-Reply-To: <20020419021942.A10172-100000@master.gorean.org> References: <20020419021942.A10172-100000@master.gorean.org>
next in thread | previous in thread | raw e-mail | index | archive | help
DougB> My proposal is simple. Change from using names to numeric [ug]id's
DougB> in mtree, and elsewhere if needed. The plus is that it solves the
DougB> bootstrapping problem. The negatives involve problems with systems
DougB> that don't merge the password and group files, and therefore will
DougB> have directories owned by "weird" users. Another possible difficulty
DougB> involves systems where there are already users with the numeric
DougB> values currently used by sendmail.
This could lead to security problems. If the UID is already in use by
another user on the system, that user will be able to attack the submission
mail queue causing denial of service and an invasion of privacy.
Furthermore, it won't fix the problem if NO_SENDMAIL=no as it will only
delay the installworld failure until later in the installation process when
the sendmail binary is installed. Finally, it would leave behind a broken
system for sendmail users.
DougB> Another, although more complex option would be to add code such as
DougB> the following (in pseudocode) to /usr/src/etc/Makefile:
DougB> if ((not grep ^smmsp: /etc/master.passwd) and
DougB> (not grep ':25:25:' /etc/master.passwd)) then
DougB> pw useradd -n smmsp -u 25 -c 'Sendmail Submission User' \
DougB> -g 25 -s /sbin/nologin -d /var/spool/clientmqueue
DougB> And repeat for the other two entries. This is more prone to failure,
DougB> since there are more variables. However, at this point I think it
DougB> would be better than nothing.
I agree this is more prone to failure (even your example above has problems
such as just because :25:25: exists, it doesn't mean it belongs to smmsp).
It has some of the same problems as above, namely the possible reuse of an
existing UID.
Although I really would prefer that people who are building from source pay
attention to things like the handbook section on what to do when building
from source:
- section 19.4.1 says to read /usr/src/UPDATING. This issue is documented
in that file.
- section 19.4.3 says to update for new users and groups before
installing. This issue is documented in the handbook itself.
- section 19.4 says to subscribe to the mailing list for the branch you are
using. This issue has been covered multiple times on both the mailing
lists.
I guess that is too much to ask for. IMHO, the best solution for that
group of people would be to move the creation of /var/spool/clientmqueue to
a separate mtree file and use it in src/etc/Makefile's distribution target:
.if !defined(NO_SENDMAIL)
mtree -deU -f ${.CURDIR}/mtree/sendmail.root.dist -p ${DESTDIR}/
.endif
This solves the NO_SENDMAIL case. For users who are using sendmail, the
users really do need to exist before an installworld for the reasons given
above. So my solution would be to change the installworld: target in
src/Makefile.inc1:
- installworld:
+ installworld: installcheck
And add the installcheck target:
installcheck:
.if !defined(NO_SENDMAIL)
@if ! `grep -q ^smmsp: /etc/master.passwd`; then \
echo "smmsp user missing. Read /usr/src/UPDATING."; \
false; \
fi; \
if ! `grep -q ^smmsp: /etc/group`; then \
echo "smmsp group missing. Read /usr/src/UPDATING."; \
false; \
fi
.endif
The installcheck target may be useful for the other checks now and in the
future.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15552.17875.373230.467284>