Christoph Anton Mitterer reported [1] that maildrop is prone to a privilege escalation issue that grants a user root group privileges. This is due to maildrop not dropping supplementary groups when being invoked by root. Simple testcase is to create a testmaildrop user and then create ~testmaildrop/.mailfilter (owned by testmaildrop and mode 0600): % sudo cat ~testmaildrop/.mailfilter echo `id` exit % sudo maildrop -V2 -d testmaildrop </dev/null maildrop: Changing to /tmp/testmaildrop Message start at 0 bytes, envelope sender=testmaildrop maildrop: Attempting .mailfilter maildrop: Filtering through `id` uid=13910(testmaildrop) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Note that debian has maildrop only sgid mail, but Fedora provides maildrop suid root and sgid mail. Also note that this cannot be used to quickly elevate your own privileges and this can only be taken advantage of if maildrop is actually executed by root (even with it being suid root): % sudo su - testmaildrop $ maildrop -V2 -d testmaildrop </dev/null maildrop: Changing to /tmp/testmaildrop Message start at 0 bytes, envelope sender=testmaildrop maildrop: Attempting .mailfilter maildrop: Filtering through `id` uid=13910(testmaildrop) gid=13910(testmaildrop) groups=13910(testmaildrop) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 $ ls -al `which maildrop` -rwsr-sr-x. 1 root mail 175944 2009-09-04 15:49 /usr/bin/maildrop The Debian bug report notes this patch will fix the issue: diff -U3 -r1.58 main.C --- maildrop/main.C 13 Jan 2010 01:32:02 -0000 1.58 +++ maildrop/main.C 15 Jan 2010 03:49:01 -0000 @@ -476,6 +476,8 @@ nouser(); #if RESET_GID setgroupid(my_pw->pw_gid); +#else + setgroupid(getegid()); #endif setuid(my_pw->pw_uid); if (getuid() != my_pw->pw_uid) Note that debian has maildrop only sgid mail, but Fedora provides maildrop suid root and sgid mail. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564601
Axel, any progress with scheduling Fedora maildrop updates? Thanks, Jan.
maildrop-2.4.0-12.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/maildrop-2.4.0-12.fc12
maildrop-2.4.0-12.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/maildrop-2.4.0-12.fc11
maildrop-2.4.0-12.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
maildrop-2.4.0-12.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.