Debian Bug report logs - #298058
procmail: Please make suid root installation configurable

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: procmail: Please make suid root installation configurable

Date: Fri, 4 Mar 2005 12:25:42 +0100

[Message part 1 (text/plain, inline)]

Package: procmail
Version: 3.22-10
Severity: wishlist
Tags: patch

Hi!

Currently, procmail is installed as setuid root by default, which is
unnecessary when using it with e. g. exim4 or postfix. Installing it
setgid mail (and using the mail group only when necessary) is much
safer and greatly limits the potential impact of security holes.

You can get the patch from

  http://patches.ubuntu.com/patches/procmail.minprivs.diff

it is applied in Ubuntu for half a year now without problems (however,
suid root installation defaults to "no" there).

Please consider adopting it for Debian.

Thanks,

Martin

procmail (3.22-9ubuntu1) unstable; urgency=low

  * Minimized sgid privilege usage: right at the program start the effective
    group (mail) is reset to the real group (normally the user's primary
    group); privileged group 'mail' is just used when creating a previously
    missing default mailbox in /var/mail/<username>.
  * Added debconf question whether to install procmail setuid root (with
    default 'yes' to stay compatible). This is not needed with e. g. exim4 and
    postfix, disabling it eliminates a potential security hole.
  * Added build-dep po-debconf and dependency debconf.
  * Added German translation of debconf question.

 -- Martin Pitt <mpitt@debian.org>  Sat, 24 Jul 2004 00:52:55 +0200


-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 298058-done@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Martin Pitt <mpitt@debian.org>, 298058-done@bugs.debian.org

Subject: Re: Bug#298058: procmail: Please make suid root installation configurable

Date: Fri, 4 Mar 2005 13:16:16 +0100 (CET)

On Fri, 4 Mar 2005, Martin Pitt wrote:

> Package: procmail
> Version: 3.22-10
> Severity: wishlist
> Tags: patch
> 
> Hi!
> 
> Currently, procmail is installed as setuid root by default, which is
> unnecessary when using it with e. g. exim4 or postfix. Installing it
> setgid mail (and using the mail group only when necessary) is much
> safer and greatly limits the potential impact of security holes.

This was already reported by you as Bug#264011, and I still consider
it inappropriate for Debian, which has a lot more MTAs than postfix or exim4.

If you missed the last email in Bug#264011, please read it now.

Message #15 received at 298058@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Santiago Vila <sanvila@unex.es>

Cc: 298058@bugs.debian.org

Subject: Re: Bug#298058: procmail: Please make suid root installation configurable

Date: Fri, 4 Mar 2005 13:39:02 +0100

[Message part 1 (text/plain, inline)]

Hi!

Santiago Vila [2005-03-04 13:16 +0100]:
> > Currently, procmail is installed as setuid root by default, which is
> > unnecessary when using it with e. g. exim4 or postfix. Installing it
> > setgid mail (and using the mail group only when necessary) is much
> > safer and greatly limits the potential impact of security holes.
> 
> This was already reported by you as Bug#264011, and I still consider
> it inappropriate for Debian, which has a lot more MTAs than postfix or exim4.
> 
> If you missed the last email in Bug#264011, please read it now.

Sorry, I forgot about the previous bug and I could not find it in the
current bug list.

For the record, I heavily disagree to your reasoning. You will help
people to lose mail (and much more) if you run programs as root
without any reason (especially for programs which code is as messy as
procmail), and making it easy for people to close this hole is by no
way worthless. 

However, I respect that you are the maintainer and decide this, so I
will shut up. Ubuntu just has the policy to offer patches to Debian,
not to force Debian to use it. :-)

Thanks and have a nice day!

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 298058@bugs.debian.org (full text, mbox, reply):

From: Santiago Vila <sanvila@unex.es>

To: Martin Pitt <mpitt@debian.org>

Cc: 298058@bugs.debian.org

Subject: Re: Bug#298058: procmail: Please make suid root installation configurable

Date: Fri, 4 Mar 2005 14:41:57 +0100 (CET)

> > If you missed the last email in Bug#264011, please read it now.
> 
> Sorry, I forgot about the previous bug and I could not find it in the
> current bug list.
> 
> For the record, I heavily disagree to your reasoning. You will help
> people to lose mail (and much more) if you run programs as root
> without any reason (especially for programs which code is as messy as
> procmail), and making it easy for people to close this hole is by no
> way worthless. 

I understand that you want to have as few suid programs as possible in
the system, but it's not as if procmail was being careless with the
suid bit, it changes privileges to the user is delivering to as soon
as it can.

I agree that it should be easy to remove the suid bit, but I think
it's already easy enough to remove the suid bit, using dpkg-statoverride.

Is there really not a way to tell people to use dpkg-statoverride
other than using debconf?

Send a report that this bug log contains spam.