On Sun, Apr 26, 2020 at 08:55:14AM +0000, [email protected] wrote:
April 26, 2020 10:34 AM, "Christopher Zimmermann" <[email protected]> wrote:
- always run lmtp deliveries as SMTPD_USER. The change to
mda_unpriv.c is needed, because otherwise
all mails would be delivered to SMTPD_USER.
- add two internal flags NOPRIV and NEEDPRIV. NOPRIV can be configured by the
simple directive
"no-priv". NEEDPRIV gets set on all delivery methods / options requiring
setuid() to run as the
receipient user.
A configuration error is produced on any conflict betweed NEEDPRIV and NOPRIV.
In case of a NOPRIV run smtpd will drop root privileges.
This will break .forward and alias filters.
Hi, thanks for your fast reply.
The LMTP change seems interesting to me, it means that a broken LMTP delivery
will fail with _smtpd privileges instead of the (unprivileged) recipient user
so I think it's a good move.
That's great. Is there anything that needs to change or be clarified
before you can give an ok?
I'm less convinced by the other change and it doesn't only break .forward and
alias, it also breaks authentication, tables reloading, and probably stuff my
mind is not yet awake enough to think of.
Thanks for giving it a thought. I'm not entirely convinced either. But
believe some thought should be given to it.
In your opinion would it be generaly a bad idea to try run smtpd without
root privileges?
What exectly will cease to work?
- .forward and alias _filtering_ will break for sure.
Forwarding won't break.
- Authentication: Authentication of system users will break. So I would
mark auth without auth-table as need_priv() in parse.y.
- tables reloading: this is a problem only for tables with restricted
read permissions, isn't it?
I could try to figure out whether it is a problem in parse.y and mark
it as need_priv() if necessary, but one could also just document the
no-priv option with its limitations.
- other stuff: Can it be dealt with need_priv()? Will it lead to
unpleasant surprises for users?
The general idea is to allow running smtpd without root priviliges where
possible and maybe try to change it to support running without root for
more use-cases over time. Like try to pick the low-hanging fruits first.
One less low-hanging fruits would be to integrate mail.lmtp(8) into
smtpd and move other mail.* functionality into a privileged lmtpd
daemon.
This would remove those vulnerable mda-exec lines from the envelope
files. That's just one idea how one could proceed. The current proposal
is to start stripping privileges where possible.
Christopher
-- http://gmerlin.de
OpenPGP: http://gmerlin.de/christopher.pub
CB07 DA40 B0B6 571D 35E2 0DEF 87E2 92A7 13E5 DEE1
