Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] Mail permissions for local users?
  • From: Stefan Suurmeijer <stefan@xxxxxxxxxxxx>
  • Date: Fri, 11 Aug 2000 14:47:19 +0200 (CEST)
  • Message-id: <Pine.LNX.4.21.0008111438180.9248-100000@xxxxxxxxxxxxxxxxxxxx>
Your sendmail has permissions 555. It should be suid root (4555). That
will clear up the problem. Then make mqueue 700, mail should be sticky,
since it's world writeable (mode 1777).

BTW: if you're running a kernel prior to 2.2.16
this does leave you open to attacks, since older kernels have a bug. See
the SuSE security announcements.

Hope this helps

Stefan


On Fri, 11 Aug 2000, Andrew Hougie wrote:

> I think this qualifies as a security issue because the only other solution
> I have would be to open up permissions completely and I don't know which I
> can safely do.
>
> I am running SuSE 6.2 and I have Marc's firewall script version 2.5
> running.
>
> When trying to send mail from pine as a user from the linux machine, I got
> an "insufficient permission" message which I resolved by chmod 777
> /var/spool/mqueue. I now get reminders of this "warning world writable".
>
> Trying to send mail from one local user to another still fails. The
> following entries are generated in /var/log/mail:
>
>
> Aug 11 07:41:23 celebrity procmail[26474]: Insufficient privileges to
> deliver to "debbie"
> Aug 11 07:41:23 celebrity sendmail[26473]: HAA26472:
> to=<debbie@xxxxxxxxxxxxxxxxxxxxx>, delay=00:00:00, xdelay=00:00:00,
> mailer=local, stat=Insufficient permission
> Aug 11 07:41:23 celebrity sendmail[26473]: HAA26472: HAA26473: DSN:
> Insufficient permission
> Aug 11 07:41:23 celebrity sendmail[26473]: HAA26473: to=andrew,
> delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent
> Aug 11 07:41:23 celebrity sendmail[26473]: HAA26472: HAB26473: postmaster
> notify : Insufficient permission
> Aug 11 07:41:23 celebrity procmail[26476]: Insufficient privileges to
> deliver to "root"
> Aug 11 07:41:23 celebrity sendmail[26473]: HAB26473: to=root,
> delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Insufficient permission
> Aug 11 07:41:23 celebrity sendmail[26473]: HAB26473: HAC26473: return to
> sender: Insufficient permission
> Aug 11 07:41:23 celebrity procmail[26477]: Insufficient privileges to
> deliver to "root"
> Aug 11 07:41:23 celebrity sendmail[26473]: HAC26473: to=root,
> delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Insufficient permission
> Aug 11 07:41:23 celebrity sendmail[26473]: HAB26473: Saved message in
> /usr/tmp/dead.letter
>
> Permissions in /var/spool are:
> drwxrwxrwt 2 root root 1024 Aug 11 07:43 mail
> drwxrwxrwx 2 root root 2048 Aug 11 07:41 mqueue
>
> > ls -l /usr/sbin/sendmail
> -r-xr-xr-x 1 root root 383232 Aug 22 1999 /usr/sbin/sendmail
>
> > ls -l /usr/bin/procmail
> -rwxr-xr-x 1 root root 65428 Dec 7 1999 /usr/bin/procmail
>
> Extracts from my sendmail.mc file
> include(`/usr/share/sendmail/m4/cf.m4')
> OSTYPE(`linux')dnl
> define(`STATUS_FILE', `/var/log/sendmail.st')dnl
> define(`confDEF_USER_ID', `daemon:daemon')dnl
> define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
> define(`confCOPY_ERRORS_TO', `Postmaster')dnl
> define(`UUCP_MAILER_MAX', `2000000')dnl
> define(`confTRUSTED_USERS', `mdom wwwrun')dnl
> define(`MASQUERADE_AS', `grinton.net')dnl
> FEATURE(`limited_masquerade')dnl
> FEATURE(`masquerade_entire_domain')dnl
> FEATURE(`masquerade_envelope')dnl
> FEATURE(`local_procmail')dnl
> FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
> MAILER(`local')dnl
> MAILER(`procmail')dnl
> MAILER(`smtp')dnl
> MAILER(`uucp')dnl
> MAILER(`bsmtp')dnl
> MAILER(`fido')dnl
> define(`confCW_FILE', `/etc/mail/sendmail.cw')dnl
> FEATURE(use_cw_file)dnl
> MASQUERADE_DOMAIN(grinton.net)
>
> --
> Andrew Hougie, Grinton, Aldenham Grove, Radlett,
> Hertfordshire, England, WD7 7BW
> Email: andrew@xxxxxxxxxxxx WWW: http://www.hougie.co.uk
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
>

==========================================
Stefan Suurmeijer
Network Specialist
University of Groningen
tel: (+31) 50 363 3423
fax: (+31) 50 363 7272
E-mail (business): s.m.suurmeijer@xxxxxxxxxx
E-mail (private): stefan@xxxxxxxxxxxx
==========================================

Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown





< Previous Next >
Follow Ups
References