Bug 2242 - Procmail security update ignores .procmail file
Procmail security update ignores .procmail file
Status: CLOSED NEXTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: procmail (Show other bugs)
5.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Trond Eivind Glomsrxd
: Security
: 2290 3320 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-04-17 15:10 EDT by aseward
Modified: 2008-05-01 11:37 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-08-19 16:19:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description aseward 1999-04-17 15:10:37 EDT
When I upgraded to procmail-3.13.1-1.i386.rpm to fix the
security hole, procmail no longer used my .procmailrc file
and I had to revert to the procmail from the 5.2 CD.

(I'm not sure if this realy rates as `security' for severity
but, since this is a `normail' severity problem for a
security update I selected `security')
Comment 1 R P Herrold 1999-04-17 16:29:59 EDT
Apr 17 16:21:11 swampfox procmail[14056]: Suspicious rcfile
"/home/herrold/.procmailrc"

.... the issue, as indicated in the procmail man page is that
the new build treats as 'Suspicious' a .procmailrc file which resides
in a world writable directory.

A better practice would have been to have tested and found this before
releasing the updated RPM, given the rather slight 'risk' of the
latest 'exploit.'

==========
autorpm]# grep procm install.log
Sat Nov  7 16:38:18 EST 1998 - procmail-3.10-12 -> procmail-3.10-13
Sat Apr 17 04:40:53 EDT 1999 - procmail-3.10-13 -> procmail-3.13.1-1


==========
This is new, from the man page:

  Suspicious rcfile "x"  The owner of the rcfile was not the
                              recipient or  root,  the  file  was
                              world  writable,  or  the directory
                              that   contained   it   was   world
                              writable,  or  this was the default
                              rcfile ($HOME/.procmailrc) and  ei-
                              ther  it  was group writable or the
                              directory  that  contained  it  was
                              group  writable (the rcfile was not
                              used).
Comment 2 aseward 1999-04-17 21:33:59 EDT
At least on with my setup, the problem is not the writability of the
directory.  My home directory is only writable (or readable for that
matter) by me.

Since UMASK is set to 022 for the user private groups that RedHat
uses, the .procmailrc file was group writable.  There should have been
a note on the errata page mentioning this.  If a sysadmin has been
vigilant about following the user private group strategy, then a group
readable and writable .procmailrc file is not a security risk.
Comment 3 R P Herrold 1999-04-18 22:29:59 EDT
We have posted a shell script to run on a host, possibly
in a crontab entry, to highlight to the end user, and
optionally to root, if the ver. 3.13 changes are likely
to 'complain.'

see: http://swampfox.owlriver.com/files/ORCprocmailcheck
Comment 4 jamie 1999-04-19 10:55:59 EDT
The problem is a change introduced in procmail 3.12:

"- Don't use $HOME/.procmailrc if it's group-writable or in a
group-writable directory, unless if the user's default group and
GROUP_PER_USER is set in config.h"

The solution would seem to be: set GROUP_PER_USER in config.h.
Would some developer be so kind?
Comment 5 R P Herrold 1999-04-19 12:07:59 EDT
... from the maintainer of procmail, his suggestion for the PROPER
fix:

From: Philip Guenther <guenther@gac.edu>
To: herrold@owlriver.com
Subject: Re: Response to procmail 3.13.1 changes

R P Herrold <herrold+res@owlriver.com> writes:
>The changes in procmail ver 3.13.1 (actually present since 3.12,
>it seems) now 'complain' to the maillog if it deems file
>permissions, directory ownerships, or other factors "Suspicious"
>with the .procmailrc file ...
>
>The popular RedHat distribution update is 'broken' in such a
>fashion, with its approach to 'groups' management.

If RedHat distributions typically have a group per user, then the
procmail 3.13.1 binary RPM(s) should have been compiled with
GROUP_PER_USER defined.  If that is not true then it should be
reported to the person who generated that distribution so that they
can either correct it, or generate another set of RPMs that were
compiled with it defined.
-

------- Additional Comments From   05/09/99 15:36 -------
I've provided a patch for the RH 6.0 procmail-3.13.1-2 rpm, as well as
a .src.rpm and a .i386.rpm built with that added patch at
http://cs.wilpaterson.edu/~scottw/shebang/
Comment 6 Jeff Johnson 1999-06-07 19:32:59 EDT
*** Bug 2290 has been marked as a duplicate of this bug. ***

According to procmail's HISTORY file, procmail-3.12
introduced a new behavior with respect to group-writable
.procmailrc files and .procmailrc files located in
group-writable directories.  Specifically, procmail ignores
such a .procmailrc unless GROUP_PER_USER has been defined in
config.h at compile-time.

The most recent procmail update packages (3.13.1) do not
have GROUP_PER_USER defined and fail to function properly on
Red Hat Linux systems.


------- Additional Comments From notting@redhat.com  04/21/99 11:34 -------


*** Bug 2291 has been marked as a duplicate of this bug. ***

According to procmail's HISTORY file, procmail-3.12
introduced a new behavior with respect to group-writable
.procmailrc files and .procmailrc files located in
group-writable directories.  Specifically, procmail ignores
such a .procmailrc unless GROUP_PER_USER has been defined in
config.h at compile-time.

The most recent procmail update packages (3.13.1) do not
have GROUP_PER_USER defined and fail to function properly on
Red Hat Linux systems.*** Bug 3320 has been marked as a duplicate of this bug. ***

After upgrade from RedHat 5.2 to 6.0 procmail stoped working
and this appears in /var/log/messages for every inbound
message.

replace user with user's name



------- Additional Comments From   06/15/99 05:55 -------
Just for the record, I added a note about this to the Procmail FAQ I
maintain at
<http://www.iki.fi/era/procmail/mini-faq.html#group-writable>
Comment 7 Jay Turner 1999-06-23 10:57:59 EDT
Need to check out the patch at
http://cs.wilpaterson.edu/~scottw/shebang/
to see whether to include it in the package.
Comment 8 Bill Nottingham 1999-08-19 16:19:59 EDT
fixed in Raw Hide.

Note You need to log in before you can comment on or make changes to this bug.