diff --git a/gnu/dist/sendmail/RELEASE_NOTES b/gnu/dist/sendmail/RELEASE_NOTES index abc10be7e796..17bf033ff3f6 100644 --- a/gnu/dist/sendmail/RELEASE_NOTES +++ b/gnu/dist/sendmail/RELEASE_NOTES @@ -1,11 +1,22 @@ SENDMAIL RELEASE NOTES - Id: RELEASE_NOTES,v 8.561 2000/04/06 23:51:49 gshapiro Exp + Id: RELEASE_NOTES,v 8.561.4.6 2000/06/07 07:39:53 gshapiro Exp This listing shows the version of the sendmail binary, the version of the sendmail configuration files, the date of release, and a summary of the changes in that release. +8.10.2/8.10.2 2000/06/07 + SECURITY: Work around broken Linux setuid() implementation. + On Linux, a normal user process has the ability to subvert + the setuid() call such that it is impossible for a root + process to drop its privileges. Problem noted by Wojciech + Purczynski of elzabsoft.pl. + SECURITY: Add more vigilance around set*uid(), setgid(), setgroups(), + initgroups(), and chroot() calls. + Added Files: + test/t_setuid.c + 8.10.1/8.10.1 2000/04/06 SECURITY: Limit the choice of outgoing (client-side) SMTP Authentication mechanisms to those specified in diff --git a/gnu/dist/sendmail/cf/cf/generic-bsd4.4.cf b/gnu/dist/sendmail/cf/cf/generic-bsd4.4.cf index eb09c15ee2bb..8f9a386d5dc3 100644 --- a/gnu/dist/sendmail/cf/cf/generic-bsd4.4.cf +++ b/gnu/dist/sendmail/cf/cf/generic-bsd4.4.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by gshapiro@horsey.gshapiro.net on Thu Apr 6 14:36:11 PDT 2000 -##### in /usr/local/src/sendmail/devel/OpenSource/sendmail-8.10.1/cf/cf +##### built by gshapiro@horsey.gshapiro.net on Wed Jun 7 10:00:54 PDT 2000 +##### in /usr/local/src/sendmail/devel/8.10/OpenSource/sendmail-8.10.2/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -113,7 +113,7 @@ DnMAILER-DAEMON CPREDIRECT # Configuration version number -DZ8.10.1 +DZ8.10.2 ############### diff --git a/gnu/dist/sendmail/cf/cf/generic-hpux10.cf b/gnu/dist/sendmail/cf/cf/generic-hpux10.cf index 9263cfd92498..b944b0a2c79c 100644 --- a/gnu/dist/sendmail/cf/cf/generic-hpux10.cf +++ b/gnu/dist/sendmail/cf/cf/generic-hpux10.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by gshapiro@horsey.gshapiro.net on Thu Apr 6 14:36:13 PDT 2000 -##### in /usr/local/src/sendmail/devel/OpenSource/sendmail-8.10.1/cf/cf +##### built by gshapiro@horsey.gshapiro.net on Wed Jun 7 10:00:57 PDT 2000 +##### in /usr/local/src/sendmail/devel/8.10/OpenSource/sendmail-8.10.2/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -114,7 +114,7 @@ DnMAILER-DAEMON CPREDIRECT # Configuration version number -DZ8.10.1 +DZ8.10.2 ############### diff --git a/gnu/dist/sendmail/cf/cf/generic-hpux9.cf b/gnu/dist/sendmail/cf/cf/generic-hpux9.cf index a957c260dde4..12c827d31c7a 100644 --- a/gnu/dist/sendmail/cf/cf/generic-hpux9.cf +++ b/gnu/dist/sendmail/cf/cf/generic-hpux9.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by gshapiro@horsey.gshapiro.net on Thu Apr 6 14:36:13 PDT 2000 -##### in /usr/local/src/sendmail/devel/OpenSource/sendmail-8.10.1/cf/cf +##### built by gshapiro@horsey.gshapiro.net on Wed Jun 7 10:00:57 PDT 2000 +##### in /usr/local/src/sendmail/devel/8.10/OpenSource/sendmail-8.10.2/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -114,7 +114,7 @@ DnMAILER-DAEMON CPREDIRECT # Configuration version number -DZ8.10.1 +DZ8.10.2 ############### diff --git a/gnu/dist/sendmail/cf/cf/generic-linux.cf b/gnu/dist/sendmail/cf/cf/generic-linux.cf index c632a65d6ac9..d844a5277359 100644 --- a/gnu/dist/sendmail/cf/cf/generic-linux.cf +++ b/gnu/dist/sendmail/cf/cf/generic-linux.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by gshapiro@horsey.gshapiro.net on Thu Apr 6 14:36:13 PDT 2000 -##### in /usr/local/src/sendmail/devel/OpenSource/sendmail-8.10.1/cf/cf +##### built by gshapiro@horsey.gshapiro.net on Wed Jun 7 10:00:58 PDT 2000 +##### in /usr/local/src/sendmail/devel/8.10/OpenSource/sendmail-8.10.2/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -117,7 +117,7 @@ DnMAILER-DAEMON CPREDIRECT # Configuration version number -DZ8.10.1 +DZ8.10.2 ############### diff --git a/gnu/dist/sendmail/cf/cf/generic-osf1.cf b/gnu/dist/sendmail/cf/cf/generic-osf1.cf index 0cd6effa4318..4cde9b226366 100644 --- a/gnu/dist/sendmail/cf/cf/generic-osf1.cf +++ b/gnu/dist/sendmail/cf/cf/generic-osf1.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by gshapiro@horsey.gshapiro.net on Thu Apr 6 14:36:14 PDT 2000 -##### in /usr/local/src/sendmail/devel/OpenSource/sendmail-8.10.1/cf/cf +##### built by gshapiro@horsey.gshapiro.net on Wed Jun 7 10:00:58 PDT 2000 +##### in /usr/local/src/sendmail/devel/8.10/OpenSource/sendmail-8.10.2/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -114,7 +114,7 @@ DnMAILER-DAEMON CPREDIRECT # Configuration version number -DZ8.10.1 +DZ8.10.2 ############### diff --git a/gnu/dist/sendmail/cf/cf/generic-solaris2.cf b/gnu/dist/sendmail/cf/cf/generic-solaris2.cf index cc0a541f4c21..1e0503221f07 100644 --- a/gnu/dist/sendmail/cf/cf/generic-solaris2.cf +++ b/gnu/dist/sendmail/cf/cf/generic-solaris2.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by gshapiro@horsey.gshapiro.net on Thu Apr 6 14:36:14 PDT 2000 -##### in /usr/local/src/sendmail/devel/OpenSource/sendmail-8.10.1/cf/cf +##### built by gshapiro@horsey.gshapiro.net on Wed Jun 7 10:00:58 PDT 2000 +##### in /usr/local/src/sendmail/devel/8.10/OpenSource/sendmail-8.10.2/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -113,7 +113,7 @@ DnMAILER-DAEMON CPREDIRECT # Configuration version number -DZ8.10.1 +DZ8.10.2 ############### diff --git a/gnu/dist/sendmail/cf/cf/generic-sunos4.1.cf b/gnu/dist/sendmail/cf/cf/generic-sunos4.1.cf index 8047eb61bae4..a4c2ec43a974 100644 --- a/gnu/dist/sendmail/cf/cf/generic-sunos4.1.cf +++ b/gnu/dist/sendmail/cf/cf/generic-sunos4.1.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by gshapiro@horsey.gshapiro.net on Thu Apr 6 14:36:14 PDT 2000 -##### in /usr/local/src/sendmail/devel/OpenSource/sendmail-8.10.1/cf/cf +##### built by gshapiro@horsey.gshapiro.net on Wed Jun 7 10:00:59 PDT 2000 +##### in /usr/local/src/sendmail/devel/8.10/OpenSource/sendmail-8.10.2/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -114,7 +114,7 @@ DnMAILER-DAEMON CPREDIRECT # Configuration version number -DZ8.10.1 +DZ8.10.2 ############### diff --git a/gnu/dist/sendmail/cf/cf/generic-ultrix4.cf b/gnu/dist/sendmail/cf/cf/generic-ultrix4.cf index af6fe19a65f9..4db842534684 100644 --- a/gnu/dist/sendmail/cf/cf/generic-ultrix4.cf +++ b/gnu/dist/sendmail/cf/cf/generic-ultrix4.cf @@ -16,8 +16,8 @@ ##### ##### SENDMAIL CONFIGURATION FILE ##### -##### built by gshapiro@horsey.gshapiro.net on Thu Apr 6 14:36:14 PDT 2000 -##### in /usr/local/src/sendmail/devel/OpenSource/sendmail-8.10.1/cf/cf +##### built by gshapiro@horsey.gshapiro.net on Wed Jun 7 10:01:00 PDT 2000 +##### in /usr/local/src/sendmail/devel/8.10/OpenSource/sendmail-8.10.2/cf/cf ##### using ../ as configuration include directory ##### ###################################################################### @@ -114,7 +114,7 @@ DnMAILER-DAEMON CPREDIRECT # Configuration version number -DZ8.10.1 +DZ8.10.2 ############### diff --git a/gnu/dist/sendmail/cf/m4/version.m4 b/gnu/dist/sendmail/cf/m4/version.m4 index 16178cf1b5c3..ec22c1258f75 100644 --- a/gnu/dist/sendmail/cf/m4/version.m4 +++ b/gnu/dist/sendmail/cf/m4/version.m4 @@ -11,8 +11,8 @@ divert(-1) # the sendmail distribution. # # -VERSIONID(`Id: version.m4,v 8.39 2000/04/06 20:30:53 gshapiro Exp') +VERSIONID(`Id: version.m4,v 8.39.6.2 2000/06/07 07:39:55 gshapiro Exp') # divert(0) # Configuration version number -DZ8.10.1`'ifdef(`confCF_VERSION', `/confCF_VERSION') +DZ8.10.2`'ifdef(`confCF_VERSION', `/confCF_VERSION') diff --git a/gnu/dist/sendmail/cf/ostype/solaris2.pre5.m4 b/gnu/dist/sendmail/cf/ostype/solaris2.pre5.m4 index 6f0174fa5120..993d6930fbef 100644 --- a/gnu/dist/sendmail/cf/ostype/solaris2.pre5.m4 +++ b/gnu/dist/sendmail/cf/ostype/solaris2.pre5.m4 @@ -17,7 +17,7 @@ divert(-1) divert(0) -VERSIONID(`Id: solaris2.pre5.m4,v 1.1 1999/09/25 01:17:44 ca Exp') +VERSIONID(`Id: solaris2.pre5.m4,v 8.1 1999/09/25 08:17:44 ca Exp') divert(-1) _DEFIFNOT(`LOCAL_MAILER_FLAGS', `SnE9') diff --git a/gnu/dist/sendmail/devtools/OS/OSF1.V5.0 b/gnu/dist/sendmail/devtools/OS/OSF1.V5.0 index 7e50ffec0f74..a9d26a49e637 100644 --- a/gnu/dist/sendmail/devtools/OS/OSF1.V5.0 +++ b/gnu/dist/sendmail/devtools/OS/OSF1.V5.0 @@ -1,4 +1,4 @@ -# Id: OSF1.V5.0,v 1.1 2000/03/23 00:14:01 gshapiro Exp +# Id: OSF1.V5.0,v 8.1 2000/03/23 00:14:01 gshapiro Exp define(`confCC', `cc -std1 -Olimit 1000') define(`confMAPDEF', `-DNDBM -DNIS -DMAP_REGEX') define(`confENVDEF', `-DHASSNPRINTF=1') diff --git a/gnu/dist/sendmail/libmilter/Makefile b/gnu/dist/sendmail/libmilter/Makefile index 7678c3e1ab3f..dcff451bec58 100644 --- a/gnu/dist/sendmail/libmilter/Makefile +++ b/gnu/dist/sendmail/libmilter/Makefile @@ -1,4 +1,4 @@ -# Id: Makefile,v 1.1 1999/11/04 00:03:40 ca Exp +# Id: Makefile,v 8.1 1999/11/04 00:03:40 ca Exp SHELL= /bin/sh BUILD= ./Build diff --git a/gnu/dist/sendmail/libsmdb/Makefile b/gnu/dist/sendmail/libsmdb/Makefile index d09a5771c672..fba87c88a798 100644 --- a/gnu/dist/sendmail/libsmdb/Makefile +++ b/gnu/dist/sendmail/libsmdb/Makefile @@ -1,4 +1,4 @@ -# Id: Makefile,v 1.2 1999/09/23 22:36:29 ca Exp +# Id: Makefile,v 8.2 1999/09/23 22:36:29 ca Exp SHELL= /bin/sh BUILD= ./Build diff --git a/gnu/dist/sendmail/libsmutil/Makefile b/gnu/dist/sendmail/libsmutil/Makefile index c20aeca52e8c..1456f442a38e 100644 --- a/gnu/dist/sendmail/libsmutil/Makefile +++ b/gnu/dist/sendmail/libsmutil/Makefile @@ -1,4 +1,4 @@ -# Id: Makefile,v 1.2 1999/09/23 22:36:32 ca Exp +# Id: Makefile,v 8.2 1999/09/23 22:36:32 ca Exp SHELL= /bin/sh BUILD= ./Build diff --git a/gnu/dist/sendmail/sendmail/deliver.c b/gnu/dist/sendmail/sendmail/deliver.c index f1af24128cfc..5ccf871cd4ae 100644 --- a/gnu/dist/sendmail/sendmail/deliver.c +++ b/gnu/dist/sendmail/sendmail/deliver.c @@ -12,7 +12,7 @@ */ #ifndef lint -static char id[] = "@(#)Id: deliver.c,v 8.600 2000/04/06 00:50:14 gshapiro Exp"; +static char id[] = "@(#)Id: deliver.c,v 8.600.4.3 2000/05/28 17:47:08 gshapiro Exp"; #endif /* ! lint */ #include @@ -1860,8 +1860,11 @@ tryhost: u = ctladdr->q_user; if (initgroups(u, ctladdr->q_gid) == -1 && suidwarn) + { syserr("openmailer: initgroups(%s, %d) failed", u, ctladdr->q_gid); + exit(EX_TEMPFAIL); + } } else { @@ -1869,7 +1872,10 @@ tryhost: gidset[0] = ctladdr->q_gid; if (setgroups(1, gidset) == -1 && suidwarn) + { syserr("openmailer: setgroups() failed"); + exit(EX_TEMPFAIL); + } } new_gid = ctladdr->q_gid; } @@ -1878,8 +1884,11 @@ tryhost: if (!DontInitGroups) { if (initgroups(DefUser, DefGid) == -1 && suidwarn) + { syserr("openmailer: initgroups(%s, %d) failed", DefUser, DefGid); + exit(EX_TEMPFAIL); + } } else { @@ -1887,16 +1896,34 @@ tryhost: gidset[0] = DefGid; if (setgroups(1, gidset) == -1 && suidwarn) + { syserr("openmailer: setgroups() failed"); + exit(EX_TEMPFAIL); + } } if (m->m_gid == 0) new_gid = DefGid; else new_gid = m->m_gid; } - if (new_gid != NO_GID && setgid(new_gid) < 0 && suidwarn) - syserr("openmailer: setgid(%ld) failed", - (long) new_gid); + if (new_gid != NO_GID) + { + if (RunAsUid != 0 && + (RealGid != getgid() || + RealGid != getegid())) + { + /* Only root can change the gid */ + syserr("openmailer: insufficient privileges to change gid"); + exit(EX_TEMPFAIL); + } + + if (setgid(new_gid) < 0 && suidwarn) + { + syserr("openmailer: setgid(%ld) failed", + (long) new_gid); + exit(EX_TEMPFAIL); + } + } /* change root to some "safe" directory */ if (m->m_rootdir != NULL) @@ -1906,10 +1933,16 @@ tryhost: dprintf("openmailer: chroot %s\n", buf); if (chroot(buf) < 0) + { syserr("openmailer: Cannot chroot(%s)", buf); + exit(EX_TEMPFAIL); + } if (chdir("/") < 0) + { syserr("openmailer: cannot chdir(/)"); + exit(EX_TEMPFAIL); + } } /* reset user id */ @@ -1926,29 +1959,48 @@ tryhost: new_ruid = DefUid; if (new_euid != NO_UID) { + if (RunAsUid != 0 && new_euid != RunAsUid) + { + /* Only root can change the uid */ + syserr("openmailer: insufficient privileges to change uid"); + exit(EX_TEMPFAIL); + } + vendor_set_uid(new_euid); #if MAILER_SETUID_METHOD == USE_SETEUID if (seteuid(new_euid) < 0 && suidwarn) + { syserr("openmailer: seteuid(%ld) failed", (long) new_euid); + exit(EX_TEMPFAIL); + } #endif /* MAILER_SETUID_METHOD == USE_SETEUID */ #if MAILER_SETUID_METHOD == USE_SETREUID if (setreuid(new_ruid, new_euid) < 0 && suidwarn) + { syserr("openmailer: setreuid(%ld, %ld) failed", (long) new_ruid, (long) new_euid); + exit(EX_TEMPFAIL); + } #endif /* MAILER_SETUID_METHOD == USE_SETREUID */ #if MAILER_SETUID_METHOD == USE_SETUID if (new_euid != geteuid() && setuid(new_euid) < 0 && suidwarn) + { syserr("openmailer: setuid(%ld) failed", (long) new_euid); + exit(EX_TEMPFAIL); + } #endif /* MAILER_SETUID_METHOD == USE_SETUID */ } else if (new_ruid != NO_UID) { vendor_set_uid(new_ruid); if (setuid(new_ruid) < 0 && suidwarn) + { syserr("openmailer: setuid(%ld) failed", (long) new_ruid); + exit(EX_TEMPFAIL); + } } if (tTd(11, 2)) @@ -3884,6 +3936,12 @@ mailfile(filename, mailer, ctladdr, sfflags, e) { RealUserName = NULL; RealUid = mailer->m_uid; + if (RunAsUid != 0 && RealUid != RunAsUid) + { + /* Only root can change the uid */ + syserr("mailfile: insufficient privileges to change uid"); + exit(EX_TEMPFAIL); + } } else if (bitset(S_ISUID, mode)) { @@ -3911,7 +3969,17 @@ mailfile(filename, mailer, ctladdr, sfflags, e) /* select a new group to run as */ if (bitnset(M_SPECIFIC_UID, mailer->m_flags)) + { RealGid = mailer->m_gid; + if (RunAsUid != 0 && + (RealGid != getgid() || + RealGid != getegid())) + { + /* Only root can change the gid */ + syserr("mailfile: insufficient privileges to change gid"); + exit(EX_TEMPFAIL); + } + } else if (bitset(S_ISGID, mode)) RealGid = stb.st_gid; else if (ctladdr != NULL && ctladdr->q_uid != 0) @@ -3939,8 +4007,11 @@ mailfile(filename, mailer, ctladdr, sfflags, e) if (RealUserName != NULL && !DontInitGroups) { if (initgroups(RealUserName, RealGid) == -1 && suidwarn) + { syserr("mailfile: initgroups(%s, %d) failed", RealUserName, RealGid); + exit(EX_TEMPFAIL); + } } else { @@ -3948,7 +4019,10 @@ mailfile(filename, mailer, ctladdr, sfflags, e) gidset[0] = RealGid; if (setgroups(1, gidset) == -1 && suidwarn) + { syserr("mailfile: setgroups() failed"); + exit(EX_TEMPFAIL); + } } /* @@ -3973,15 +4047,24 @@ mailfile(filename, mailer, ctladdr, sfflags, e) dprintf("mailfile: deliver to %s\n", realfile); if (chdir("/") < 0) + { syserr("mailfile: cannot chdir(/)"); + exit(EX_CANTCREAT); + } /* now reset the group and user ids */ endpwent(); if (setgid(RealGid) < 0 && suidwarn) + { syserr("mailfile: setgid(%ld) failed", (long) RealGid); + exit(EX_TEMPFAIL); + } vendor_set_uid(RealUid); if (setuid(RealUid) < 0 && suidwarn) + { syserr("mailfile: setuid(%ld) failed", (long) RealUid); + exit(EX_TEMPFAIL); + } if (tTd(11, 2)) dprintf("mailfile: running as r/euid=%d/%d, r/egid=%d/%d\n", diff --git a/gnu/dist/sendmail/sendmail/main.c b/gnu/dist/sendmail/sendmail/main.c index b01480feb7e2..d93d08f81d61 100644 --- a/gnu/dist/sendmail/sendmail/main.c +++ b/gnu/dist/sendmail/sendmail/main.c @@ -21,7 +21,7 @@ static char copyright[] = #endif /* ! lint */ #ifndef lint -static char id[] = "@(#)Id: main.c,v 8.485 2000/03/11 19:53:01 ca Exp"; +static char id[] = "@(#)Id: main.c,v 8.485.6.2 2000/05/28 18:00:12 gshapiro Exp"; #endif /* ! lint */ #define _DEFINE @@ -113,6 +113,7 @@ main(argc, argv, envp) STAB *st; register int i; int j; + int dp; bool safecf = TRUE; BITMAP256 *p_flags = NULL; /* daemon flags */ bool warn_C_flag = FALSE; @@ -229,7 +230,8 @@ main(argc, argv, envp) #endif /* NGROUPS_MAX */ /* drop group id privileges (RunAsUser not yet set) */ - (void) drop_privileges(FALSE); + dp = drop_privileges(FALSE); + setstat(dp); #ifdef SIGUSR1 /* arrange to dump state on user-1 signal */ @@ -687,7 +689,8 @@ main(argc, argv, envp) if (RealUid != 0) warn_C_flag = TRUE; ConfFile = optarg; - (void) drop_privileges(TRUE); + dp = drop_privileges(TRUE); + setstat(dp); safecf = FALSE; break; @@ -885,7 +888,8 @@ main(argc, argv, envp) break; case 'X': /* traffic log file */ - (void) drop_privileges(TRUE); + dp = drop_privileges(TRUE); + setstat(dp); if (stat(optarg, &traf_st) == 0 && S_ISFIFO(traf_st.st_mode)) TrafficLogFile = fopen(optarg, "w"); @@ -1014,7 +1018,8 @@ main(argc, argv, envp) if (OpMode != MD_DAEMON && OpMode != MD_FGDAEMON) { /* drop privileges -- daemon mode done after socket/bind */ - (void) drop_privileges(FALSE); + dp = drop_privileges(FALSE); + setstat(dp); } #if NAMED_BIND @@ -2555,7 +2560,8 @@ drop_privileges(to_real_uid) if (tTd(47, 1)) dprintf("drop_privileges(%d): Real[UG]id=%d:%d, RunAs[UG]id=%d:%d\n", - (int)to_real_uid, (int)RealUid, (int)RealGid, (int)RunAsUid, (int)RunAsGid); + (int)to_real_uid, (int)RealUid, + (int)RealGid, (int)RunAsUid, (int)RunAsGid); if (to_real_uid) { @@ -2570,19 +2576,48 @@ drop_privileges(to_real_uid) /* reset group permissions; these can be set later */ emptygidset[0] = (to_real_uid || RunAsGid != 0) ? RunAsGid : getegid(); if (setgroups(1, emptygidset) == -1 && geteuid() == 0) + { + syserr("drop_privileges: setgroups(1, %d) failed", + (int)emptygidset[0]); rval = EX_OSERR; + } /* reset primary group and user id */ if ((to_real_uid || RunAsGid != 0) && setgid(RunAsGid) < 0) + { + syserr("drop_privileges: setgid(%d) failed", (int)RunAsGid); rval = EX_OSERR; - if ((to_real_uid || RunAsUid != 0) && setuid(RunAsUid) < 0) - rval = EX_OSERR; + } + if (to_real_uid || RunAsUid != 0) + { + if (setuid(RunAsUid) < 0) + { + syserr("drop_privileges: setuid(%d) failed", + (int)RunAsUid); + rval = EX_OSERR; + } + else if (RunAsUid != 0 && setuid(0) == 0) + { + /* + ** Believe it or not, the Linux capability model + ** allows a non-root process to override setuid() + ** on a process running as root and prevent that + ** process from dropping privileges. + */ + + syserr("drop_privileges: setuid(0) succeeded (when it should not)"); + rval = EX_OSERR; + } + } if (tTd(47, 5)) { dprintf("drop_privileges: e/ruid = %d/%d e/rgid = %d/%d\n", - (int)geteuid(), (int)getuid(), (int)getegid(), (int)getgid()); + (int)geteuid(), (int)getuid(), + (int)getegid(), (int)getgid()); dprintf("drop_privileges: RunAsUser = %d:%d\n", (int)RunAsUid, (int)RunAsGid); + if (tTd(47, 10)) + dprintf("drop_privileges: rval = %d\n", rval); } return rval; } diff --git a/gnu/dist/sendmail/sendmail/readcf.c b/gnu/dist/sendmail/sendmail/readcf.c index 4cb8d01adcf5..c67de7a3f48c 100644 --- a/gnu/dist/sendmail/sendmail/readcf.c +++ b/gnu/dist/sendmail/sendmail/readcf.c @@ -12,7 +12,7 @@ */ #ifndef lint -static char id[] = "@(#)Id: readcf.c,v 8.382 2000/04/06 18:02:33 gshapiro Exp"; +static char id[] = "@(#)Id: readcf.c,v 8.382.6.1 2000/05/27 19:56:01 gshapiro Exp"; #endif /* ! lint */ #include @@ -1915,9 +1915,12 @@ setoption(opt, val, safe, sticky, e) { if (opt != 'M' || (val[0] != 'r' && val[0] != 's')) { + int dp; + if (tTd(37, 1)) dprintf(" (unsafe)"); - (void) drop_privileges(TRUE); + dp = drop_privileges(TRUE); + setstat(dp); } } if (tTd(37, 1)) diff --git a/gnu/dist/sendmail/sendmail/recipient.c b/gnu/dist/sendmail/sendmail/recipient.c index fcbb713ec9c8..03588dcd54ff 100644 --- a/gnu/dist/sendmail/sendmail/recipient.c +++ b/gnu/dist/sendmail/sendmail/recipient.c @@ -12,7 +12,7 @@ */ #ifndef lint -static char id[] = "@(#)Id: recipient.c,v 8.231 2000/01/05 01:40:53 gshapiro Exp"; +static char id[] = "@(#)Id: recipient.c,v 8.231.16.1 2000/05/27 19:56:01 gshapiro Exp"; #endif /* ! lint */ #include @@ -1158,8 +1158,12 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e) if (!DontInitGroups) { if (initgroups(user, gid) == -1) + { + rval = EAGAIN; syserr("include: initgroups(%s, %d) failed", user, gid); + goto resetuid; + } } else { @@ -1167,22 +1171,38 @@ include(fname, forwarding, ctladdr, sendq, aliaslevel, e) gidset[0] = gid; if (setgroups(1, gidset) == -1) + { + rval = EAGAIN; syserr("include: setgroups() failed"); + goto resetuid; + } } if (gid != 0 && setgid(gid) < -1) + { + rval = EAGAIN; syserr("setgid(%d) failure", gid); + goto resetuid; + } if (uid != 0) { # if MAILER_SETUID_METHOD == USE_SETEUID if (seteuid(uid) < 0) + { + rval = EAGAIN; syserr("seteuid(%d) failure (real=%d, eff=%d)", uid, getuid(), geteuid()); + goto resetuid; + } # endif /* MAILER_SETUID_METHOD == USE_SETEUID */ # if MAILER_SETUID_METHOD == USE_SETREUID if (setreuid(0, uid) < 0) + { + rval = EAGAIN; syserr("setreuid(0, %d) failure (real=%d, eff=%d)", uid, getuid(), geteuid()); + goto resetuid; + } # endif /* MAILER_SETUID_METHOD == USE_SETREUID */ } } @@ -1309,18 +1329,20 @@ resetuid: { # if USESETEUID if (seteuid(0) < 0) - syserr("seteuid(0) failure (real=%d, eff=%d)", + syserr("!seteuid(0) failure (real=%d, eff=%d)", getuid(), geteuid()); # else /* USESETEUID */ if (setreuid(-1, 0) < 0) - syserr("setreuid(-1, 0) failure (real=%d, eff=%d)", + syserr("!setreuid(-1, 0) failure (real=%d, eff=%d)", getuid(), geteuid()); if (setreuid(RealUid, 0) < 0) - syserr("setreuid(%d, 0) failure (real=%d, eff=%d)", + syserr("!setreuid(%d, 0) failure (real=%d, eff=%d)", RealUid, getuid(), geteuid()); # endif /* USESETEUID */ } - (void) setgid(savedgid); + if (setgid(savedgid) < 0) + syserr("!setgid(%d) failure (real=%d eff=%d)", + savedgid, getgid(), getegid()); } #endif /* HASSETREUID || USESETEUID */ diff --git a/gnu/dist/sendmail/sendmail/util.c b/gnu/dist/sendmail/sendmail/util.c index 4d3498eae312..443191032c0b 100644 --- a/gnu/dist/sendmail/sendmail/util.c +++ b/gnu/dist/sendmail/sendmail/util.c @@ -12,7 +12,7 @@ */ #ifndef lint -static char id[] = "@(#)Id: util.c,v 8.225 2000/03/28 21:55:22 ca Exp"; +static char id[] = "@(#)Id: util.c,v 8.225.4.1 2000/05/27 19:56:01 gshapiro Exp"; #endif /* ! lint */ #include @@ -1856,17 +1856,29 @@ prog_open(argv, pfd, e) { expand(ProgMailer->m_rootdir, buf, sizeof buf, e); if (chroot(buf) < 0) + { syserr("prog_open: cannot chroot(%s)", buf); + exit(EX_TEMPFAIL); + } if (chdir("/") < 0) + { syserr("prog_open: cannot chdir(/)"); + exit(EX_TEMPFAIL); + } } /* run as default user */ endpwent(); if (setgid(DefGid) < 0 && geteuid() == 0) + { syserr("prog_open: setgid(%ld) failed", (long) DefGid); + exit(EX_TEMPFAIL); + } if (setuid(DefUid) < 0 && geteuid() == 0) + { syserr("prog_open: setuid(%ld) failed", (long) DefUid); + exit(EX_TEMPFAIL); + } /* run in some directory */ if (ProgMailer != NULL) diff --git a/gnu/dist/sendmail/sendmail/version.c b/gnu/dist/sendmail/sendmail/version.c index 8a09e793e242..349d3756d736 100644 --- a/gnu/dist/sendmail/sendmail/version.c +++ b/gnu/dist/sendmail/sendmail/version.c @@ -12,7 +12,7 @@ */ #ifndef lint -static char id[] = "@(#)Id: version.c,v 8.43 2000/04/06 20:30:54 gshapiro Exp"; +static char id[] = "@(#)Id: version.c,v 8.43.6.2 2000/06/07 07:39:56 gshapiro Exp"; #endif /* ! lint */ -char Version[] = "8.10.1"; +char Version[] = "8.10.2";