When I upgraded to procmail-3.13.1-1.i386.rpm to fix the security hole, procmail no longer used my .procmailrc file and I had to revert to the procmail from the 5.2 CD. (I'm not sure if this realy rates as `security' for severity but, since this is a `normail' severity problem for a security update I selected `security')
Apr 17 16:21:11 swampfox procmail[14056]: Suspicious rcfile "/home/herrold/.procmailrc" .... the issue, as indicated in the procmail man page is that the new build treats as 'Suspicious' a .procmailrc file which resides in a world writable directory. A better practice would have been to have tested and found this before releasing the updated RPM, given the rather slight 'risk' of the latest 'exploit.' ========== autorpm]# grep procm install.log Sat Nov 7 16:38:18 EST 1998 - procmail-3.10-12 -> procmail-3.10-13 Sat Apr 17 04:40:53 EDT 1999 - procmail-3.10-13 -> procmail-3.13.1-1 ========== This is new, from the man page: Suspicious rcfile "x" The owner of the rcfile was not the recipient or root, the file was world writable, or the directory that contained it was world writable, or this was the default rcfile ($HOME/.procmailrc) and ei- ther it was group writable or the directory that contained it was group writable (the rcfile was not used).
At least on with my setup, the problem is not the writability of the directory. My home directory is only writable (or readable for that matter) by me. Since UMASK is set to 022 for the user private groups that RedHat uses, the .procmailrc file was group writable. There should have been a note on the errata page mentioning this. If a sysadmin has been vigilant about following the user private group strategy, then a group readable and writable .procmailrc file is not a security risk.
We have posted a shell script to run on a host, possibly in a crontab entry, to highlight to the end user, and optionally to root, if the ver. 3.13 changes are likely to 'complain.' see: http://swampfox.owlriver.com/files/ORCprocmailcheck
The problem is a change introduced in procmail 3.12: "- Don't use $HOME/.procmailrc if it's group-writable or in a group-writable directory, unless if the user's default group and GROUP_PER_USER is set in config.h" The solution would seem to be: set GROUP_PER_USER in config.h. Would some developer be so kind?
... from the maintainer of procmail, his suggestion for the PROPER fix: From: Philip Guenther <guenther> To: herrold Subject: Re: Response to procmail 3.13.1 changes R P Herrold <herrold+res> writes: >The changes in procmail ver 3.13.1 (actually present since 3.12, >it seems) now 'complain' to the maillog if it deems file >permissions, directory ownerships, or other factors "Suspicious" >with the .procmailrc file ... > >The popular RedHat distribution update is 'broken' in such a >fashion, with its approach to 'groups' management. If RedHat distributions typically have a group per user, then the procmail 3.13.1 binary RPM(s) should have been compiled with GROUP_PER_USER defined. If that is not true then it should be reported to the person who generated that distribution so that they can either correct it, or generate another set of RPMs that were compiled with it defined. - ------- Additional Comments From 05/09/99 15:36 ------- I've provided a patch for the RH 6.0 procmail-3.13.1-2 rpm, as well as a .src.rpm and a .i386.rpm built with that added patch at http://cs.wilpaterson.edu/~scottw/shebang/
*** Bug 2290 has been marked as a duplicate of this bug. *** According to procmail's HISTORY file, procmail-3.12 introduced a new behavior with respect to group-writable .procmailrc files and .procmailrc files located in group-writable directories. Specifically, procmail ignores such a .procmailrc unless GROUP_PER_USER has been defined in config.h at compile-time. The most recent procmail update packages (3.13.1) do not have GROUP_PER_USER defined and fail to function properly on Red Hat Linux systems. ------- Additional Comments From notting 04/21/99 11:34 ------- *** Bug 2291 has been marked as a duplicate of this bug. *** According to procmail's HISTORY file, procmail-3.12 introduced a new behavior with respect to group-writable .procmailrc files and .procmailrc files located in group-writable directories. Specifically, procmail ignores such a .procmailrc unless GROUP_PER_USER has been defined in config.h at compile-time. The most recent procmail update packages (3.13.1) do not have GROUP_PER_USER defined and fail to function properly on Red Hat Linux systems.*** Bug 3320 has been marked as a duplicate of this bug. *** After upgrade from RedHat 5.2 to 6.0 procmail stoped working and this appears in /var/log/messages for every inbound message. replace user with user's name ------- Additional Comments From 06/15/99 05:55 ------- Just for the record, I added a note about this to the Procmail FAQ I maintain at <http://www.iki.fi/era/procmail/mini-faq.html#group-writable>
Need to check out the patch at http://cs.wilpaterson.edu/~scottw/shebang/ to see whether to include it in the package.
fixed in Raw Hide.