Re: sendmail and setgroups()
On Wed, May 02, 2001 at 03:42:55PM -0400, Richard A Nelson wrote:
> On Wed, 2 May 2001, Shane Wegner wrote:
> > The current SendMail in unstable appears to be doing a
> > setgroups() call when it does not have superuser
> > privileges. I am getting the following on a regular basis
> > from my lids kernel.
> >
> > LIDS: sendmail (9 2 inode 32909) pid 19760 user (8/8) on
> > NULL tty: more CAP_SETGID violation: Try to
> > setgroups,logging disabled for 10 seconds
> >
> > It only loggs this when setgroups() is called and the user
> > is not root. Do you have any idea what this could be?
>
> Yeah, its part of the recent security updates sendmail is pushing
> for the 8.12.0 release.
>
> They've already received a report on this, I'll second it so we
> can see if they'll do the SETGID only if running root.
Thanks, here's the simple patch I used anyways if you're
interested.
diff -ur sendmail-8.12.0.Beta7.orig/sendmail/main.c sendmail-8.12.0.Beta7/sendmail/main.c
--- sendmail-8.12.0.Beta7.orig/sendmail/main.c Mon Apr 2 15:55:00 2001
+++ sendmail-8.12.0.Beta7/sendmail/main.c Fri May 4 16:26:59 2001
@@ -2980,6 +2980,8 @@
/* reset group permissions; these can be set later */
emptygidset[0] = (to_real_uid || RunAsGid != 0) ? RunAsGid : getegid();
+ if (geteuid == 0)
+ {
if (setgroups(1, emptygidset) == -1 && geteuid() == 0)
{
syserr("drop_privileges: setgroups(1, %d) failed",
@@ -3026,6 +3028,7 @@
syserr("drop_privileges: Unable to drop non-root set-user-id privileges");
rval = EX_OSERR;
}
+ }
}
if (tTd(47, 5))
{
--
Shane Wegner: shane@cm.nu
http://www.cm.nu/~shane/
PGP: 1024D/FFE3035D
A0ED DAC4 77EC D674 5487
5B5C 4F89 9A4E FFE3 035D
Reply to: