Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cwjcc!tut.cis.ohio-state.edu!cs.utexas.edu!ut-emx!reeder
From: reeder@ut-emx.UUCP (William P. Reeder)
Newsgroups: comp.mail.sendmail
Subject: security?
Keywords: forwarding, ProgMailer
Message-ID: <10798@ut-emx.UUCP>
Date: 27 Feb 89 23:07:13 GMT
Organization: University of Texas Computation Center
Lines: 56

After I installed sendmail 5.61 (replacing 5.54) I got complaints from
users about forwarding being broken.  Here is what happens under 5.61:

o  User fred sets up ~fred/.forward to forward mail to |/home/fred/fredscript.
o  User cathy sends fred some mail.
o  sendmail 5.61 runs the program specified in ~fred/.forward under
   cathy's uid and gid (from /etc/passwd).  This may fail, depending
   on protections set on fred's directories and files.
o  User "james@some.other.host.edu" sends fred some mail.
o  sendmail 5.61 runs the same program, but under uid 1 and gid 1 (as per
   directions in /usr/lib/sendmail.cf).  This may fail, depending on
   protections set on fred's directories and files.

Now imagine each of the following scenarios:

#1
o  User calvin sets up ~calvin/.forward to run his research program.
o  User calvin sends mail another local user asking a question.
o  Local user responds to calvin's question, and calvin's program
   is run under other user's uid and gid.  This succeeds because
   calvin has been very careful with his protections.  calvin gets
   lots of work done, all for free.  Meanwhile, people can't figure
   out how come they keep running out of money.

#2
o  User schnook sets up ~schnook/.forward to do dirty deeds.
o  User schnook sends mail to local guru, asking a question.
o  Local guru reads mail and replies.
o  User schnooks program is run, doing its dirty deeds under
   guru's uid and gid.  This works because lots of interesting files
   are in one of the many interesting groups to which guru belongs,
   and because these interesting files are group writable or readable.
   It also turns out that these dirty deeds are run dirt cheap (from
   schnook's point of view) because accounting is to guru's uid.


This seems like a fairly serious security hole.  Do others care to
comment on the question: Why would you want to run a program under the
user id of the sender, rather than under the uid of the recipient who
asked for the program to be run?

My users' complaints about forwarding imply that sendmail 5.54 would
run programs under the uid of the owner of the .forward file.  (There
is a check in 5.61 to make sure the .forward file is owned by the
recipient.)

Routine setsender() in src/envelope.c is the one which checks to see
if the sender is local, and resets DefUid and DefGid if (s)he is.
This code is essentially unchanged from 5.54 to 5.61.  I am still
tracking the code which does forwarding to try to find what has changed
here, and perhaps why.

William Reeder
postmaster@emx.utexas.edu, reeder@emx.utexas.edu
-- 
DISCLAIMER:	I speak only for myself, and usually only to myself.