Bug#851397: jessie-pu: package sendmail/8.14.4-8+deb8u2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
the security team has asked for this possible privilege escalation to be
fixed via jessie-pu:
sendmail (8.14.4-8+deb8u2) jessie-pu; urgency=medium
  * QA upload.
Disclaimer: I last ran sendmail about 15 years ago on Solaris 8.
  * Only touch files as smmsp:smmsp in /var/run/sendmail/stampdir (writable by
    group smmsp) to avoid possible privilege escalation.  (Closes: #841257)
  * Use lockfile-create (from lockfile-progs) instead of touch to manage the
    cronjob lockfiles.
This fix has been in unstable for some time (and without regression
reports for its second iteration), but I don't know anyone who could
test this in jessie properly.
Anyway, I'll ping all people involved in the relevant bug reports
to see whether they can test it once it reached jessie-pu.
  * sendmail-base: Add Depends: netbase for /etc/services.
Backported from sid, sendmail is noisy if /etc/services is missing
(and maybe not working). No known bug report, probably since
it is unlikely to install a production server without netbase.
Andreas
diff --git a/debian/changelog b/debian/changelog
index 89413a0..6cb1bb1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+sendmail (8.14.4-8+deb8u2) jessie; urgency=medium
+
+  * QA upload.
+  * Only touch files as smmsp:smmsp in /var/run/sendmail/stampdir (writable by
+    group smmsp) to avoid possible privilege escalation.  (Closes: #841257)
+  * Use lockfile-create (from lockfile-progs) instead of touch to manage the
+    cronjob lockfiles.
+  * sendmail-base: Add Depends: netbase for /etc/services.
+
+ -- Andreas Beckmann <anbe@debian.org>  Sat, 14 Jan 2017 15:32:05 +0100
+
 sendmail (8.14.4-8+deb8u1) jessie; urgency=medium
 
   * QA upload.
diff --git a/debian/control b/debian/control
index 0f57840..df65e81 100644
--- a/debian/control
+++ b/debian/control
@@ -216,6 +216,8 @@ Depends:
  m4,
  make,
  adduser,
+ netbase,
+ lockfile-progs,
  ${perl:Depends},
  ${misc:Depends}
 Suggests:
diff --git a/debian/control.in b/debian/control.in
index a4d1d81..bce911a 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -216,6 +216,8 @@ Depends:
  m4,
  make,
  adduser,
+ netbase,
+ lockfile-progs,
  ${perl:Depends},
  ${misc:Depends}
 Suggests:
diff --git a/debian/local/sendmail.in b/debian/local/sendmail.in
index 0d3730a..885ad24 100644
--- a/debian/local/sendmail.in
+++ b/debian/local/sendmail.in
@@ -178,6 +178,14 @@ Get_Parameters () {
 	};
 #------------------------------------------------------------------------------
 
+# the stamp directory is owned and writable by group smmsp
+touch_stamp() {
+	if [ "$(id -nu)" = "smmsp" ]; then
+		touch "$1"
+	else
+		su smmsp -s /bin/sh -c "touch '$1'"
+	fi
+}
 
 #------------------------------------------------------------------------------
 # enhanced sendmail startup
@@ -202,7 +210,7 @@ start_mta () {
 		fi;
 	#
 	# Mark restarted for communication betwixt here and /etc/mail/Makefile
-	touch $STAMP_DIR/reload;
+	touch_stamp $STAMP_DIR/reload
 	#
 	if [ "$DAEMON_MODE" = "daemon" ]; then
 		#
@@ -323,7 +331,7 @@ reload_mta () {
 	# reload (signal -HUP) is *much* better/faster than stop/start
 	#
 	# Mark restarted for communication betwixt here and /etc/mail/Makefile
-	touch $STAMP_DIR/reload;
+	touch_stamp $STAMP_DIR/reload
 	#
 	# If not running, just start it...
 	if ! is_running mta; then
@@ -855,23 +863,21 @@ cron_mta () {
 		if check_msp; then
 			if [ $MSP_MODE = 'none' ]; then
 				# Make sure only *ONE* cronjob at a time
-				if [ ! -f $STAMP_DIR/cron_msp ]; then
-					touch $STAMP_DIR/cron_msp;
+				if lockfile-create --lock-name --use-pid $STAMP_DIR/cron_msp ; then
 					#clean_queues /var/spool/mqueue-client;
 					$MSP_COMMAND -qf $MSP_A $MSP_L_QUEUE \
 						$MSP_PARMS $MISC_PARMS \
 						$CRON_PARMS || true;
-					rm -f $STAMP_DIR/cron_msp;
+					lockfile-remove --lock-name $STAMP_DIR/cron_msp
 					fi;
 				fi;
 			fi;
 
 		# Make sure only *ONE* cronjob at a time
-		if [ ! -f $STAMP_DIR/cron_mta ]; then
-			touch $STAMP_DIR/cron_mta;
+		if lockfile-create --lock-name --use-pid $STAMP_DIR/cron_mta ; then
 			$MTA_COMMAND -qf $MTA_A $MTAL_L_QUEUE \
 				$QUEUE_PARMS $MISC_PARMS $CRON_PARMS || true;
-			rm -f $STAMP_DIR/cron_mta;
+			lockfile-remove --lock-name $STAMP_DIR/cron_mta
 			fi;
 		fi;
 	};
@@ -893,13 +899,12 @@ cron_msp () {
 		# messages not immediately accepted by the MTA get delivered.
 		if check_msp; then
 			# Make sure only *ONE* cronjob at a time
-			if [ ! -f $STAMP_DIR/cron_msp ]; then
-				touch $STAMP_DIR/cron_msp;
+			if lockfile-create --lock-name --use-pid $STAMP_DIR/cron_msp ; then
 				#clean_queues /var/spool/mqueue-client;
 				$MSP_COMMAND -qf $MSP_A $MSP_L_QUEUE \
 					$MSP_PARMS $MISC_PARMS \
 					$CRON_PARMS || true;
-				rm -f $STAMP_DIR/cron_msp;
+				lockfile-remove --lock-name $STAMP_DIR/cron_msp
 				fi;
 			fi;
 		fi;
diff --git a/debian/local/update_mk.in b/debian/local/update_mk.in
index db8cd18..b8be738 100644
--- a/debian/local/update_mk.in
+++ b/debian/local/update_mk.in
@@ -314,7 +314,7 @@ sub write_target_restart {
 #
 .PHONY: noreload norestart
 noreload norestart: FORCE
-	\@touch $reload_stamp;
+	\@su smmsp -s /bin/sh -c "touch $reload_stamp"
 
 .PHONY: should_reload should_restart
 should_reload should_restart: FORCE
diff --git a/debian/sendmail-base.postinst.in b/debian/sendmail-base.postinst.in
index 568a6b6..38c9669 100644
--- a/debian/sendmail-base.postinst.in
+++ b/debian/sendmail-base.postinst.in
@@ -47,6 +47,11 @@ if [ "$1" = "configure" ]; then
 		chown root:smmsp @sysconfdir@/mail/sasl;
 		chown root:smmsp @sysconfdir@/mail/tls;
 
+		if [ -f "@localstatedir@/run/sendmail/stampdir/reload" ]; then
+			chown smmsp:smmsp "@localstatedir@/run/sendmail/stampdir/reload"
+		fi
+
+
 		#-----------------------------------------------------------
 		# Save the current configuration files in safe place...
 		if [ -x @sysconfdir@/cron.daily/sendmail ]; then
Reply to: