Hi,
I've been looking through the recent changes to the Debian ssmtp package
and this bug seems to be quite crucial.
Guido Trotter <ultrot...@debian.org> wrote:
> Version: 2.64-3
[...]
> The recent change to install ssmtp sgid mail broke the possibility to
> use the -C flag to select an alternative config file. This break
> unrelated system configurations (eg, my git couldn't send mail anymore).
>
> I think -C + suid/sgid is disabled for security reasons, and considering
[...]
However, I've built myself a copy of ssmtp 2.64-3 and have not been able
to reproduce this problem. I did as follows:
c...@aragorn:/tmp$ dpkg-source -x ssmtp_2.64-3.dsc
c...@aragorn:/tmp$ cd ssmtp-2.64
c...@aragorn:/tmp/ssmtp-2.64$ debian/rules clean; debian/rules build
c...@aragorn:/tmp/ssmtp-2.64$ sudo chgrp root ssmtp; sudo chmod g+s ssmtp
then:
c...@aragorn:/tmp/ssmtp-2.64$ ls -l ssmtp
-rwxrwsr-x 1 cpbs root 67932 2010-07-21 20:11 ssmtp
c...@aragorn:/tmp/ssmtp-2.64$ echo mailhub=invalid > test.conf
c...@aragorn:/tmp/ssmtp-2.64$ echo test | ./ssmtp -C ./test.conf root
ssmtp: Cannot open invalid:25
...which shows that the setgid ssmtp binary is successfully parsing
test.conf.
>From what Guido said in his original report, I was expecting an error
message from ssmtp when passing -C to a setgid ssmtp binary, but I do
not see that.
I was expecting to find a test somewhere in ssmtp.c which, if it
determined that ssmtp had been run setgid ("getgid() != getegid()")
and the -C option was being parsed, would die with an error message.
That would, I think, produce a behaviour matching the description in
this bug report.
My plan was to change this so that, if ssmtp was run setgid and -C was
specified, ssmtp would give up its setgid privileges ("setgid(getgid())")
before opening its config file; this would allow ssmtp to read its default
config file with elevated permissions, but also to allow users to call
it with their own private config files if required without allowing
them to use this to read files they shouldn't be able to. This would,
I think, provide a solution to all these related bugs at once, *if*
I'm understanding this bug correctly; the description of the bug is not
specific enough to enable me to reproduce it though.
Guido, can you describe in more detail what the symptoms of this bug were?
If you can quote an error message that would help me find the code I'm
interested in.
(I don't know whether Debian keeps sources of intermediate versions
of package for any length of time these days; I found version 2.64-3
at https://www.securehost.com/mirror/debian/pool/main/s/ssmtp/
and verifying against the checksums found at the end of
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567906.)
Thanks,
--
Charles Briscoe-Smith
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
