On Sun, Apr 26, 2020 at 08:55:14AM +0000, [email protected] wrote:
April 26, 2020 10:34 AM, "Christopher Zimmermann" <[email protected]> wrote:
Hi,
I further developed my approach to allow running smtpd with fewer privileges.
This diff does two
things:
- always run lmtp deliveries as SMTPD_USER. The change to mda_unpriv.c is
needed, because otherwise
all mails would be delivered to SMTPD_USER.
- add two internal flags NOPRIV and NEEDPRIV. NOPRIV can be configured by the
simple directive
"no-priv". NEEDPRIV gets set on all delivery methods / options requiring
setuid() to run as the
receipient user.
A configuration error is produced on any conflict betweed NEEDPRIV and NOPRIV.
In case of a NOPRIV run smtpd will drop root privileges.
This will break .forward and alias filters.
The change to the lmtp delivery has benefits even without the second change.
With the second change
my smtpd now runs without root privileges.
The NEEDPRIV/NOPRIV options are meant to allow restricting of the privileges of
other delivery
methods.
I am now looking for OKs on the first change to do unprivileged lmtp deliveries
and feedback on the
general approach of the second change.
The LMTP change seems interesting to me, it means that a broken LMTP delivery
will fail with _smtpd privileges instead of the (unprivileged) recipient user
so I think it's a good move.
Ok to commit the below change?
Christopher
Index: mda_unpriv.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/mda_unpriv.c,v
retrieving revision 1.6
diff -u -p -r1.6 mda_unpriv.c
--- mda_unpriv.c 2 Feb 2020 22:13:48 -0000 1.6
+++ mda_unpriv.c 23 May 2020 13:43:39 -0000
@@ -69,8 +69,8 @@ mda_unpriv(struct dispatcher *dsp, struc
xasprintf(&mda_environ[idx++], "RECIPIENT=%s@%s", deliver->dest.user,
deliver->dest.domain);
xasprintf(&mda_environ[idx++], "SHELL=/bin/sh");
xasprintf(&mda_environ[idx++], "LOCAL=%s", deliver->rcpt.user);
- xasprintf(&mda_environ[idx++], "LOGNAME=%s", pw_name);
- xasprintf(&mda_environ[idx++], "USER=%s", pw_name);
+ xasprintf(&mda_environ[idx++], "LOGNAME=%s",
deliver->userinfo.username);
+ xasprintf(&mda_environ[idx++], "USER=%s", deliver->userinfo.username);
if (deliver->sender.user[0])
xasprintf(&mda_environ[idx++], "SENDER=%s@%s",
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
retrieving revision 1.277
diff -u -p -r1.277 parse.y
--- parse.y 24 Feb 2020 23:54:27 -0000 1.277
+++ parse.y 23 May 2020 13:43:40 -0000
@@ -690,10 +690,12 @@ MBOX {
| LMTP STRING {
asprintf(&dispatcher->u.local.command,
"/usr/libexec/mail.lmtp -d %s -u", $2);
+ dispatcher->u.local.user = SMTPD_USER;
} dispatcher_local_options
| LMTP STRING RCPT_TO {
asprintf(&dispatcher->u.local.command,
"/usr/libexec/mail.lmtp -d %s -r", $2);
+ dispatcher->u.local.user = SMTPD_USER;
} dispatcher_local_options
| MDA STRING {
asprintf(&dispatcher->u.local.command,
--
http://gmerlin.de
OpenPGP: http://gmerlin.de/christopher.pub
CB07 DA40 B0B6 571D 35E2 0DEF 87E2 92A7 13E5 DEE1
