ports/151783: mail/fetchmail: rc.d script broken in case of MDA use
Victor Balada Diaz
victor at bsdes.net
Wed Oct 27 17:40:10 UTC 2010
>Number: 151783
>Category: ports
>Synopsis: mail/fetchmail: rc.d script broken in case of MDA use
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 27 17:40:10 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Victor Balada Diaz
>Release: 7.1-RELEASE-p13
>Organization:
CoolBleiben
>Environment:
FreeBSD localhost.localdomain 7.1-RELEASE-p13 FreeBSD 7.1-RELEASE-p13 #7 r210046M: Wed Jul 14 10:40:48 CEST 2010 victor at localhost.localdomain:/usr/obj/usr/src-7.1/sys/DEBUG amd64
>Description:
If you're using --mda parameter this is the documented behaviour of fetchmail: (from man page)
If fetchmail is running as root, it sets its user id while
delivering mail through an MDA as follows: First, the FETCH-
MAILUSER, LOGNAME, and USER environment variables are checked in
this order. The value of the first variable from his list that
is defined (even if it is empty!) is looked up in the system
user database. If none of the variables is defined, fetchmail
will use the real user id it was started with. If one of the
variables was defined, but the user stated there isn't found,
fetchmail continues running as root, without checking remaining
variables on the list. Practically, this means that if you run
fetchmail as root (not recommended), it is most useful to define
the FETCHMAILUSER environment variable to set the user that the
MDA should run as. Some MDAs (such as maildrop) are designed to
be setuid root and setuid to the recipient's user id, so you
don't lose functionality this way even when running fetchmail as
unprivileged user. Check the MDA's manual for details.
So if you login by ssh, become root, and start the fetchmail with a global config that needs an MDA, it will try to use the MDA of your LOGNAME or USER and will give an error:
Oct 27 19:15:38 oro fetchmail[89429]: Cannot switch effective user id to 1001: Operation not permitted
>How-To-Repeat:
1) create a standard configuration that use other program as MDA and make sure that MDA program doesn't have setuid or setgid perms.
2) login as your current user
3) do su to become root
4) start the fetchmail daemon /usr/local/etc/rc.d/fetchmail start
5) look at the logs, you'll see it's unable to deliver anything.
>Fix:
define in the shell script FETCHMAILUSER as = $fetchmail_user (by default, fetchmail) before starting fetchmail in daemon mode.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list