Fetchmail as root
Ah. Maybe I sent that off too quickly. The exact wording is: The system-wide fetchmail daemon can be run either as root or as an unprivileged user 'fetchmail'. You should only run it as root if you will need to deliver mail directly from fetchmail to a MDA (unsafe, and not done by default in Debian), or if a plugin or preconnect line needs it. Since I am using procmail, which I think is an MDA, this would make sense. But the question about why Debian thinks it's unsafe still remains. I guess I'm just trying to find out what risk I've accepted by doing it! Thanks again in advance. nick
Since I am using procmail, which I think is an MDA, this would make sense. But the question about why Debian thinks it's unsafe still remains. I guess I'm just trying to find out what risk I've accepted by doing it!
Running *anything* as root is potentially dangerous Imagine a situation where a vulnerability existed in fetchmail that allowed arbitrary code to be executed due to, say, a specific mangling of mail headers. A malicious person could build an email worm that propagated in this way, the code would be attached to the email and is executed when processed by fetchmail, by the user fetchmail is run as. So far, so bad if fetchmail runs as an unprivileged user, the harm that can be done is minimal, but if fetchmail were to run as root, then in this example, anything could happen, the sky really would be the limit, backdoored versions of smtp, dns, http etc daemons could be installed, the world as we know it would crumble, and we would be returned to the dark ages, all because of running fetchmail as root ;-) Seriously though, I suspect the first line of my reply is the root (no pun intended) of the Debian maintainers' caution. -- James Ogley, Webmaster, Rubber Turnip james@rubberturnip.org.uk http://www.rubberturnip.org.uk Jabber: riggwelter@myjabber.net Using Free Software since 1994, running GNU/Linux (SuSE 8.1). GNOME updates for SuSE: http://www.usr-local-bin.org
On Sunday 01 December 2002 10:49, James Ogley wrote:
Since I am using procmail, which I think is an MDA, this would make sense. But the question about why Debian thinks it's unsafe still remains. I guess I'm just trying to find out what risk I've accepted by doing it!
Running *anything* as root is potentially dangerous
Okay, that's basically what I thought. I did a google search to see if there were specific examples of people who had lost their homes and savings after running fetchmail as root and didn't come across many, but the point is taken. Thanks so much for the reply! Nick
The 02.12.01 at 11:01, Nick Selby wrote:
On Sunday 01 December 2002 10:49, James Ogley wrote:
Since I am using procmail, which I think is an MDA, this would make sense. But the question about why Debian thinks it's unsafe still remains. I guess I'm just trying to find out what risk I've accepted by doing it!
Running *anything* as root is potentially dangerous
Okay, that's basically what I thought. I did a google search to see if there were specific examples of people who had lost their homes and savings after running fetchmail as root and didn't come across many, but the point is taken.
Suse reported such a problem last september: - fetchmail Fetchmail contains remotely exploitable overflows in the mail header parsing functions. In depth discussion of these problems can be found at http://security.e-matters.de/advisories/032002.html. New packages will soon be available on our ftp servers. -- Cheers, Carlos Robinson
On Sun, 1 Dec 2002, Nick Selby wrote:
Ah. Maybe I sent that off too quickly. The exact wording is:
The system-wide fetchmail daemon can be run either as root or as an unprivileged user 'fetchmail'. You should only run it as root if you will need to deliver mail directly from fetchmail to a MDA (unsafe, and not done by default in Debian), or if a plugin or preconnect line needs it.
Since I am using procmail, which I think is an MDA, this would make sense. But the question about why Debian thinks it's unsafe still remains. I guess I'm just trying to find out what risk I've accepted by doing it!
It only has to run as root if it should hand the mail to procmail itself without sendmail in between. Just set fetchmail to use sendmail or whatever MTA you are using, and your MTA can hand it to procmail. Then fetchmail does not need to be root. Regards Ole
participants (4)
-
Carlos E. R. -
James Ogley -
Nick Selby -
Ole Kofoed Hansen