Bug 28193

Summary:	exim now run as root
Product:	[Retired] Red Hat Powertools	Reporter:	Need Real Name <mal>
Component:	exim	Assignee:	Tim Waugh <twaugh>
Status:	CLOSED RAWHIDE	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.0
Target Milestone:	---
Target Release:	---
Hardware:	i386
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2001-02-18 16:41:21 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Need Real Name 2001-02-17 22:31:21 UTC

The previuos exim (3.16) was running as mail.mail
(there were 
exim_user = mail
exim_group = mail
in /etc/exim.conf)

But current exim (exim-3.22-5) 
is running as root, there is no these line any more in config.

When I put them there everything seems working OK,
withy execot of authentification

The
# Plain text server authrorization.
fixed_plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = ${if pam{$2:${sg{$3}{:}{::}}}{yes}{no}}
  server_set_id = $2

is working OK when exim is running as root,
and does not work when is running as mail.mail

Comment 1 Need Real Name 2001-02-17 22:38:05 UTC

Another problem when riunning as mail.mail 
is with permissions when using TLS,

exim_user = mail
exim_group = mail

The exim is not being able to read the SSL certificate
because it has
root.root rw------- permissions
to protect the private key.

Would it be better to read the config,
read certificates to memory first and than change uid/gid to specified
in config. 

An option to set a different group and give g+r to the certificate
is not very secure bacause some programs can be trickied to read the
private key.

Comment 2 Need Real Name 2001-02-17 22:49:40 UTC

Extraction from exim documentation:
------------------------
exim_user:

This option sets the uid under which Exim runs when it gives up root
privilege. However, unless there is some compelling reason for not doing
so, it is best to specify the uid by setting EXIM_UID in `Local/Makefile'
rather than using this option, because ownership of the run time
configuration file and the use of the -C and -D command line options is
checked against the compile-time setting of this parameter, not what is set
here. 

Unless it consists entirely of digits, the string is looked up using
getpwnam(), and failure causes a configuration error. If exim_group is not
also supplied, the gid is taken from the result of getpwnam() if it is
used. If the resulting uid is the root uid, it has the effect of unsetting
this option. See chapter 55 for a discussion of security issues. 

--------------

Current exim exim-3.22-5 does not have 
user and group set neither in /etc/exim.conf
nor in Makefile

Comment 3 Tim Waugh 2001-02-17 23:15:43 UTC

EXIM_UID should probably be set, yes.

Not sure about the SSL certificate thing though.

Comment 4 Need Real Name 2001-02-17 23:20:56 UTC

>Not sure about the SSL certificate thing though
The TLS is a separate issue, let us leave it out of this bug for now.

Let us focus on plain authorization with PAM.
The problem discribed above also exists in the latesr exim-3.22-6
The plain auth with PAM works OK when
exim is running as root.root 
and does not work when exim is running as mail.mail
It prints in LOG:
2001-02-17 18:12:34 Authentication failed for a.b.c.d.com (gromco.com)
[0.0.0.0]: 535 Incorrect authentication data

(I also use TLS, but the permissions to the keys were set such as exim
can read them when running as mail.mail
-rw-r-----    1 root     mail         2254 Feb 12 15:49 certificate.pem
so the problem is somewhere else)

No such problem when exim is running as root.

Comment 5 Tim Waugh 2001-02-18 00:00:47 UTC

Does the problem happen if you compile exim with 'EXIM_UID=8' and 
'EXIM_GID=12' in Local/Makefile but exim_user=root and exim_group=root (to 
undo the effect)?

[I can supply a binary if you like]

Comment 6 Need Real Name 2001-02-18 01:50:31 UTC

I set set debug_level = 127 for
rpm -q exim
exim-3.22-8

[root@test_server /tmp]# ps axuww|grep exim
mail      3169  0.0  1.7  4272 1420 ?        S    20:30   0:00 /usr/sbin/exim
-bd -q1h

It asks login/password forever, a the messages from /var/log/exim/exim_mainlog
are below.

Feb 17 20:40:48 test_server exim: PAM error: Authentication failure
Feb 17 20:40:48 test_server exim: fixed_plain authenticator:
Feb 17 20:40:48 test_server exim:   $1 =
Feb 17 20:40:48 test_server exim:   $2 = mal
Feb 17 20:40:48 test_server exim:   $3 = PasswordHere
Feb 17 20:40:48 test_server exim: expanded string: no
Feb 17 20:40:48 test_server exim:
Feb 17 20:40:48 test_server exim: tls_do_write(8180fa8, 35)
Feb 17 20:40:48 test_server exim: SSL_write(SSL, 8180fa8, 35)
Feb 17 20:40:48 test_server exim: outbytes=35 error=0
Feb 17 20:40:48 test_server exim: LOG: 0 MAIN REJECT
Feb 17 20:40:48 test_server exim:   Authentication failed for host.domain.com
(gromco.com) [1.2.3.4]: 535 Incorrect authentication data
Feb 17 20:40:48 test_server exim: Calling SSL_read(8190460, 8191c98, 4096)


Then I added
exim_user = root
exim_group = root

 ps axuww|grep exim
root      3224  0.3  1.8  4276 1428 ?        S    20:36   0:00 /usr/sbin/exim
-bd -q1h
Now it is running as root.

The e-mail sent OK with no problem.


Feb 17 20:43:00 test_server last message repeated 4 times
Feb 17 20:43:00 test_server exim: Calling SSL_read(8190890, 81920c8, 4096)
Feb 17 20:43:04 test_server exim: SMTP<< AUTH PLAIN AG1hbAB0dHk1MzU=
Feb 17 20:43:04 test_server exim: Running PAM authentication for user "mal"
Feb 17 20:43:04 test_server exim: PAM success
Feb 17 20:43:04 test_server exim: fixed_plain authenticator:
Feb 17 20:43:04 test_server exim:   $1 =
Feb 17 20:43:04 test_server exim:   $2 = mal
Feb 17 20:43:04 test_server exim:   $3 = PasswordHere
Feb 17 20:43:04 test_server exim: expanded string: yes
Feb 17 20:43:04 test_server exim:
Feb 17 20:43:04 test_server exim: tls_do_write(8180fa8, 30)
Feb 17 20:43:04 test_server exim: SSL_write(SSL, 8180fa8, 30)
Feb 17 20:43:04 test_server exim: outbytes=30 error=0
Feb 17 20:43:04 test_server exim: Calling SSL_read(8190890, 81920c8, 4096)

Comment 7 Need Real Name 2001-02-18 01:57:51 UTC

-------- This is the right log (Some necessary information was missed below).
From these logs you see that PAM mudule fails 
when running as non-root and works OK when running as root.

1. FAILURE

Feb 17 20:40:38 test_server exim: SMTP<< AUTH PLAIN PASSWORD_HERE_ENCODED=
Feb 17 20:40:38 test_server exim: Running PAM authentication for user "mal"
Feb 17 20:40:38 test_server PAM_unix[3268]: authentication failure; root(uid=8)
-> mal for exim service
Feb 17 20:40:41 test_server exim: PAM error: Authentication failure
Feb 17 20:40:41 test_server exim: fixed_plain authenticator:
Feb 17 20:40:41 test_server exim:   $1 =
Feb 17 20:40:41 test_server exim:   $2 = mal
Feb 17 20:40:41 test_server exim:   $3 = PasswordHere
Feb 17 20:40:41 test_server exim: expanded string: no
Feb 17 20:40:41 test_server exim:
Feb 17 20:40:41 test_server exim: tls_do_write(8180fa8, 35)
Feb 17 20:40:41 test_server exim: SSL_write(SSL, 8180fa8, 35)
Feb 17 20:40:41 test_server exim: outbytes=35 error=0
Feb 17 20:40:41 test_server exim: LOG: 0 MAIN REJECT
Feb 17 20:40:41 test_server exim:   Authentication failed for host.domain.com
(gromco.com) [1.2.3.4]: 535 Incorrect authentication data

2. SUCCESS

Feb 17 20:43:04 test_server exim: SMTP<< AUTH PLAIN PASSWORD_HERE_ENCODED=
Feb 17 20:43:04 test_server exim: Running PAM authentication for user "mal"
Feb 17 20:43:04 test_server exim: PAM success
Feb 17 20:43:04 test_server exim: fixed_plain authenticator:
Feb 17 20:43:04 test_server exim:   $1 =
Feb 17 20:43:04 test_server exim:   $2 = mal
Feb 17 20:43:04 test_server exim:   $3 = PasswordHere
Feb 17 20:43:04 test_server exim: expanded string: yes
Feb 17 20:43:04 test_server exim:
Feb 17 20:43:04 test_server exim: tls_do_write(8180fa8, 30)
Feb 17 20:43:04 test_server exim: SSL_write(SSL, 8180fa8, 30)
Feb 17 20:43:04 test_server exim: outbytes=30 error=0
Feb 17 20:43:04 test_server exim: Calling SSL_read(8190890, 81920c8, 4096)
Feb 17 20:43:04 test_server exim: SMTP<< MAIL FROM:<mal>

Comment 8 Need Real Name 2001-02-18 01:59:43 UTC

The string

Feb 17 20:40:38 test_server PAM_unix[3268]: authentication failure; root(uid=8)
 -> mal for exim service

probably the most relevant.
Why it prints root(uid=8) ?

Comment 9 Need Real Name 2001-02-18 16:41:17 UTC

PAM 0.72 allows authorization as non-root.
Ih has setuid helpers integrated:
-r-sr-xr-x    1 root     root        14784 Nov 30 13:16 /sbin/pwdb_chkpwd
-r-sr-xr-x    1 root     root        15360 Nov 30 13:16 /sbin/unix_chkpwd

These helpers are used in standard pam modules
specifically for this purpouse:
checking password for non-root
These programs are usually called by standard PAM modules

egrep '/sbin/(unix_chkpwd|pwdb_chkpwd)' /lib/security/*

egrep: /lib/security/pam_filter: Is a directory
Binary file /lib/security/pam_pwdb.so matches
Binary file /lib/security/pam_unix.so matches
Binary file /lib/security/pam_unix_acct.so matches
Binary file /lib/security/pam_unix_auth.so matches
Binary file /lib/security/pam_unix_passwd.so matches
Binary file /lib/security/pam_unix_session.so matches

The setuid helpers are already integrated into pam_unix and etc,
and checking password when running as non-root is possible.

You can do even more, in /etc/pam.d/exim
you can explicitelly check that the process doing
authorization is root.root or exim_user.exim_group
then do authorization through pam_unix which has setuid helper integrated.
This way nobody else exept exim will be able to 
use these setuid helpers which will be called from pam_unix.

Comment 10 Tim Waugh 2001-02-19 18:27:19 UTC

exim-3.22-8 no longer runs as root while receiving SMTP.  The PAM problems are a
PAM restriction.