at the exception of mail.local, smtpd never executes an MDA as root.

the check is performed daemon-side before even forking the child process,
but let's also check euid in the mda we ship in case someone executes them
by hand and needs to see an explicit error message.

3 files changed, 11 insertions, 2 deletions

diff --git a/usr.sbin/smtpd/mail.file.c b/usr.sbin/smtpd/mail.file.c
index cd9fd88fcf3..94888cea7b6 100644
--- a/usr.sbin/smtpd/mail.file.c
+++ b/usr.sbin/smtpd/mail.file.c
@@ -34,7 +34,10 @@ int
 main(int argc, char *argv[])
 {
 	int ch;
-	
+
+	if (! geteuid())
+		errx(1, "mail.file: may not be executed as root");
+
 	while ((ch = getopt(argc, argv, "")) != -1) {
 		switch (ch) {
 		default:
diff --git a/usr.sbin/smtpd/mail.lmtp.c b/usr.sbin/smtpd/mail.lmtp.c
index 55faa3315e9..93154446764 100644
--- a/usr.sbin/smtpd/mail.lmtp.c
+++ b/usr.sbin/smtpd/mail.lmtp.c
@@ -57,6 +57,9 @@ main(int argc, char *argv[])
 	const char *destination = "inet:localhost";
 	struct session	session;
 
+	if (! geteuid())
+		errx(1, "mail.lmtp: may not be executed as root");
+
 	session.lhlo = "localhost";
 	session.mailfrom = NULL;
 
diff --git a/usr.sbin/smtpd/mail.maildir.c b/usr.sbin/smtpd/mail.maildir.c
index effbc49a3b5..a209764d039 100644
--- a/usr.sbin/smtpd/mail.maildir.c
+++ b/usr.sbin/smtpd/mail.maildir.c
@@ -37,7 +37,10 @@ main(int argc, char *argv[])
 {
 	int ch;
 	char *dirname = NULL;
-	
+
+	if (! geteuid())
+		errx(1, "mail.maildir: may not be executed as root");
+
 	while ((ch = getopt(argc, argv, "d:")) != -1) {
 		switch (ch) {
 		case 'd':