[Bug 224015] New: sendmail does not work with symlinks or ACLs
https://bugzilla.novell.com/show_bug.cgi?id=224015 Summary: sendmail does not work with symlinks or ACLs Product: SUSE Linux 10.1 Version: Final Platform: x86 OS/Version: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: jengelh@gmx.de QAContact: qa@suse.de When root sends a mail to jengelh, the following pops up in /var/log/mail and the mail only gets delivered locally instead of the address listed in ~jengelh/.forward: Nov 27 21:11:54 alphagate sendmail[25285]: kARKBpfR025284: forward /home/jengelh/.forward.ahn+: Group writable directory Nov 27 21:11:54 alphagate sendmail[25285]: kARKBpfR025284: forward /home/jengelh/.forward+: Group writable directory Nov 27 21:11:54 alphagate sendmail[25285]: kARKBpfR025284: forward /home/jengelh/.forward.ahn: Group writable directory Nov 27 21:11:54 alphagate sendmail[25285]: kARKBpfR025284: forward /home/jengelh/.forward: Group writable directory 21:28 alphagate:~ # df Filesystem 1K-blocks Used Available Use% Mounted on /dev/hda2 19540864 3445496 16095368 18% / udev 258072 152 257920 1% /dev /dev/hda3 224398732 148685668 75713064 67% /sam224 /dev/hdb2 156087844 134965192 21122652 87% /sam160 /dev/hdc2 243940288 238931492 5008796 98% /sam250 /dev/hdd2 160683936 73940680 86743256 47% /hit160 /hit160/home 160683936 73940680 86743256 47% /home Case 1: Symlink 21:28 alphagate:~ # ls -dl / /home /home/jengelh /disk1/home/jengelh /disk1/home/jengelh/.forward drwxr-xr-x 25 root root 259 2006-10-31 12:14 / drwxr-xr-x 5 root root 58 2006-10-31 08:34 /home lrwxrwxrwx 1 root root 19 2006-10-31 09:14 /home/jengelh -> /disk1/home/jengelh drwx--x--x 22 jengelh users 4096 2006-11-27 07:11 /disk1/home/jengelh -rw-r--r-- 1 jengelh users 24 2006-03-17 21:43 /disk1/home/jengelh/.forward So the error message is completely bogus. Case 2: ACL The same happens when an ACL is involved: drwxrwx--x+ 4 guest users 135 2006-11-27 21:30 /home/guest -rw-rw----+ 1 guest root 8 2006-11-27 21:30 /home/guest/.forward Nov 27 21:30:25 alphagate sendmail[25832]: kARKUNQs025818: forward /home/guest/.forward.ahn+: Group writable directory Nov 27 21:30:25 alphagate sendmail[25832]: kARKUNQs025818: forward /home/guest/.forward+: Group writable directory Nov 27 21:30:25 alphagate sendmail[25832]: kARKUNQs025818: forward /home/guest/.forward.ahn: Group writable directory Nov 27 21:30:25 alphagate sendmail[25832]: kARKUNQs025818: forward /home/guest/.forward: Group writable directory 21:31 alphagate:/var/log # getfacl /home/guest getfacl: Removing leading '/' from absolute path names # file: home/guest # owner: guest # group: users user::rwx user:moses:rwx group::--x mask::rwx other::--x default:user::rwx default:user:moses:rwx default:group::--x default:mask::rwx default:other::--x Sendmail does not seem to cope with ACLs or symlinks at all. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=224015 mhorvath@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |werner@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=224015 werner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Comment #1 from werner@novell.com 2006-11-28 03:18 MST ------- Security: Read the message Group writable directory and fix the permissions of the group writable directories and files listed or used with the help of your ~/.forward. Btw: this holds true even for the sticky bit or ACLs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=224015 ------- Comment #2 from jengelh@gmx.de 2006-11-28 03:33 MST ------- I fail to see the group-writable directory in case 1. Would you be so kind to point me to it? Case 2: It is not group-writable either: 11:32 alphagate:/home # getfacl guest | grep ^group group::--x But sendmail may think so because when ACLs are in place, the group bits are used for the ACL mask. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=224015 ------- Comment #3 from werner@novell.com 2006-11-28 03:53 MST ------- sendmail uses the effective id of the user and its group. Then it simply checks the permissions of e.g. the ~/.forward file and also its location with stat() and with lstat() if a symbolic link is _not_ allowed (e.g. to avoid faked home directories). Beside the effective permissions with ACLs will be return by stat() and lstat() within the effective id of the user and its group(s). No user space program uses the acl tools to check permissions because this is done automatically by using the normal system calls lstat() and stat(). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=224015 ------- Comment #4 from jengelh@gmx.de 2006-11-28 04:18 MST ------- Which is why I think it should be fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=224015 ------- Comment #5 from werner@novell.com 2006-11-28 04:29 MST ------- IMHO there is nothing to fix within sendmail. The acl tool functions are for getfacl() and setfacl() only ... or other permission control programs using acl's. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=224015 ------- Comment #6 from jengelh@gmx.de 2006-11-28 04:31 MST ------- I mean sendmail should be made aware of ACLs, e.g. using libacl to test for the group write bit instead of simply stat.st_mode & S_IWGRP. Or is there a simple option inside sendmail to turn off group write checking? (It's just a private box so it won't matter if something is +w) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=224015 ------- Comment #7 from werner@novell.com 2006-11-28 04:46 MST ------- There is no need to use libacl, even postfix does not use libacl. The effective permissions used by the kernel should be available the system calls accessing the files (not only open() but also stat() and lstat()). This is how ACLs should work ... beside this: which file system type you're using for /home and /disk1/home/jengelh ... To turn off group write checking simply use the GroupWritableDirPathSafe flag within the `confDONT_BLAME_SENDMAIL' variable, compare with /usr/share/sendmail/ostype/suse-linux.m4 or /sbin/SuSEconfig.sendmail. You may also do a `less +/forward /usr/share/doc/packages/sendmail/README' for a finer control which files should no checked about group permissons. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=224015 ------- Comment #8 from jengelh@gmx.de 2006-11-28 04:58 MST -------
There is no need to use libacl, even postfix does not use libacl. The effective permissions used by the kernel should be available the system calls accessing the files (not only open() but also stat() and lstat()).
I recognize that The Right Thing is done on open(O_RDWR) and access(W_OK), but I fail to see how stat() does it. It is not a write operation and therefore will succeed in most cases. That is why I think checking "I have write permissions" is better done using access() rather than stat() and &S_IWUGO. /disk1 is just a directory below /, /home is a mount, as is /hit160/home (see comment #0). All filesystems are xfs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=224015 ------- Comment #9 from werner@novell.com 2006-11-28 05:08 MST ------- The system call access(2) is for the user's permissions for a file. But sendmail checks for the group's permissions for a file within the permissions of a _not_ privileged user, see e.g. `less +/ACLs libsmutil/safefile.c' -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=224015 Jan Engelhardt <jengelh@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com