bin/54731: [PATCH] bug in mail.local can cause unnecessary mail delivery delays

Oleg Bulyzhin oleg at
Mon Jul 21 16:40:15 PDT 2003

>Number:         54731
>Category:       bin
>Synopsis:       [PATCH] bug in mail.local can cause unnecessary mail delivery delays
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 21 16:40:13 PDT 2003
>Originator:     Oleg Bulyzhin
>Release:        FreeBSD 4.8-RELEASE i386
Cronyx Plus LLC (RiNet ISP)
System: FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Sat Apr 5 12:35:16 MSD 2003 root at i386

	All sendmail versions (including 8.12.9) are affected.
	(This bug affects systems without maillock(). Not sure about
	 systems where maillock() exists).
	During mailbox locking mail.local creates lock file (usually
	/var/log/mboxname.lock). Under certain circumstances mail.local is
	unable to remove this lock file after delivery attempt, thus next
	mail delivery (handled by other mail.local process) can be delayed
	for up to LOCKTO_RM seconds (5min).

	Here is explanation:
	First, mail.local creates lock file using super-user privileges.
	Before delivery attempt mail.local drops privileges by calling
	setreuid() (mail.local.c:1073). Then, in various error checking
	code, goto err0 & goto err1 are used (mail.local.c:1087 1103 1148 1165)
	If any of this errors appears, mail.local will be unable to remove
	lock file, cause it calls unlockmbox() (mail.local.c:1231) having
	euid == uid of mbox owner (while lock file owned by root).
	Thus unlink call (mail.local.c:1398) will fail.

	Next mail.local process will be unable to deliver mail until lock
	file expires (expire time LOCKTO_RM seconds).

	It's not easy to repeat it with original mail.local cause those
	error which can lead to this problem are quite rare. (actually,
	i never seen any of em). Problem was noticed when i tested slightly
	modified mail.local (simple implementation of mailbox size limit).
	There is misplaced setreuid(0,0) call: we need super-user priveleges
	neither for truncating (mail.local.c:1228) mailbox no for closing
	(mail.local.c:1230) it. But we need those priveleges for removing
	root-owned lock file.

--- mail.local.c.orig	Mon Mar  3 20:31:13 2003
+++ mail.local.c	Tue Jul 22 03:28:05 2003
@@ -1220,7 +1220,6 @@
 		mailerr("450 4.2.0", "%s: %s", path, sm_errstring(errno));
-		(void) setreuid(0, 0);
 #ifdef DEBUG
 		fprintf(stderr, "reset euid = %d\n", (int) geteuid());
 #endif /* DEBUG */
@@ -1228,7 +1227,8 @@
 			(void) ftruncate(mbfd, curoff);
 err1:		if (mbfd >= 0)
 			(void) close(mbfd);
-err0:		unlockmbox();
+err0:		(void) setreuid(0, 0);
+		unlockmbox();


More information about the freebsd-bugs mailing list