diff options
author | millert <millert@openbsd.org> | 2020-05-27 03:12:06 +0000 |
---|---|---|
committer | millert <millert@openbsd.org> | 2020-05-27 03:12:06 +0000 |
commit | da07b1a33098c80ae09a68169c20a6485e5f3453 (patch) | |
tree | 7061e57ab99d9afeade1295f12467f5c09ef57ae /libexec | |
parent | Update comment block at the top to describe (a) the ring damage logic, (diff) | |
download | wireguard-openbsd-da07b1a33098c80ae09a68169c20a6485e5f3453.tar.xz wireguard-openbsd-da07b1a33098c80ae09a68169c20a6485e5f3453.zip |
Remove support for world-writable mail spools.
They won't work any more due to pledge restrictions so just print
an error and exit if the spool is world-writable. OK beck@
Diffstat (limited to 'libexec')
-rw-r--r-- | libexec/mail.local/locking.c | 79 | ||||
-rw-r--r-- | libexec/mail.local/mail.local.8 | 27 |
2 files changed, 17 insertions, 89 deletions
diff --git a/libexec/mail.local/locking.c b/libexec/mail.local/locking.c index 12bed233ea4..6abbc90e433 100644 --- a/libexec/mail.local/locking.c +++ b/libexec/mail.local/locking.c @@ -1,4 +1,4 @@ -/* $OpenBSD: locking.c,v 1.14 2020/02/09 14:59:20 millert Exp $ */ +/* $OpenBSD: locking.c,v 1.15 2020/05/27 03:12:06 millert Exp $ */ /* * Copyright (c) 1996-1998 Theo de Raadt <deraadt@theos.com> @@ -33,7 +33,6 @@ #include <fcntl.h> #include <pwd.h> #include <syslog.h> -#include <time.h> #include <unistd.h> #include <limits.h> #include <errno.h> @@ -57,9 +56,8 @@ rellock(void) int getlock(const char *name, struct passwd *pw) { - struct stat sb, fsb; + struct stat sb; int lfd=-1; - char buf[8*1024]; int tries = 0; (void)snprintf(lpath, sizeof lpath, "%s/%s.lock", @@ -67,58 +65,8 @@ getlock(const char *name, struct passwd *pw) if (stat(_PATH_MAILDIR, &sb) != -1 && (sb.st_mode & S_IWOTH) == S_IWOTH) { - /* - * We have a writeable spool, deal with it as - * securely as possible. - */ - time_t ctim = -1; - - seteuid(pw->pw_uid); - if (lstat(lpath, &sb) != -1) - ctim = sb.st_ctime; - while (1) { - /* - * Deal with existing user.lock files - * or directories or symbolic links that - * should not be here. - */ - if (readlink(lpath, buf, sizeof buf-1) != -1) { - if (lstat(lpath, &sb) != -1 && - S_ISLNK(sb.st_mode)) { - seteuid(sb.st_uid); - unlink(lpath); - seteuid(pw->pw_uid); - } - goto again; - } - if ((lfd = open(lpath, O_CREAT|O_WRONLY|O_EXCL|O_EXLOCK, - S_IRUSR|S_IWUSR)) != -1) - break; -again: - if (tries > 10) { - mwarn("%s: %s", lpath, strerror(errno)); - seteuid(0); - return(-1); - } - if (tries > 9 && - (lfd = open(lpath, O_WRONLY|O_EXLOCK, 0)) != -1) { - if (fstat(lfd, &fsb) != -1 && - lstat(lpath, &sb) != -1) { - if (fsb.st_dev == sb.st_dev && - fsb.st_ino == sb.st_ino && - ctim == fsb.st_ctime ) { - seteuid(fsb.st_uid); - baditem(lpath); - seteuid(pw->pw_uid); - } - } - close(lfd); - } - sleep(1U << tries); - tries++; - continue; - } - seteuid(0); + mwarn("%s: will not deliver to world-writable spool", + _PATH_MAILDIR); } else { /* * Only root can write the spool directory. @@ -139,25 +87,6 @@ again: } void -baditem(char *path) -{ - char npath[PATH_MAX]; - int fd; - - if (unlink(path) == 0) - return; - snprintf(npath, sizeof npath, "%s/mailXXXXXXXXXX", _PATH_MAILDIR); - if ((fd = mkstemp(npath)) == -1) - return; - close(fd); - if (rename(path, npath) == -1) - unlink(npath); - else - mwarn("nasty spool item %s renamed to %s", path, npath); - /* XXX if we fail to rename, another attempt will happen later */ -} - -void mwarn(const char *fmt, ...) { va_list ap; diff --git a/libexec/mail.local/mail.local.8 b/libexec/mail.local/mail.local.8 index 330a4473faa..dd6c8407264 100644 --- a/libexec/mail.local/mail.local.8 +++ b/libexec/mail.local/mail.local.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mail.local.8,v 1.31 2014/09/16 21:28:51 jmc Exp $ +.\" $OpenBSD: mail.local.8,v 1.32 2020/05/27 03:12:06 millert Exp $ .\" Copyright (c) 1990 The Regents of the University of California. .\" All rights reserved. .\" @@ -28,7 +28,7 @@ .\" .\" from: @(#)mail.local.8 6.8 (Berkeley) 4/27/91 .\" -.Dd $Mdocdate: September 16 2014 $ +.Dd $Mdocdate: May 27 2020 $ .Dt MAIL.LOCAL 8 .Os .Sh NAME @@ -77,19 +77,18 @@ is prepended to any line in the message which could be mistaken for a .Dq "From\&\ " delimiter line. .Pp -Significant efforts have been made to ensure that +Significant effort has been made to ensure that .Nm -acts as securely as possible if the spool directory is mode 1777 or 755. -The default of mode 755 is more secure, but it prevents mail clients from using -.Pa username.lock -style locking. -The use of 1777 is more flexible in an NFS shared-spool environment, -so many sites use it. -However, it does carry some risks, such as attackers filling the spool disk. -Some of these problems may be alleviated -by making the spool a separate filesystem, and placing quotas on it. -The use of any mode other than 1777 and 755 for the spool directory is -recommended against but may work properly. +acts as securely as possible. +It will only deliver to a mail spool directory that is not world-writable. +The default mode of +.Pa /var/mail +on +.Ox +is 755, which prevents non-root processes from creating mail spool files. +The MTA is expected to either create the mail spool file itself, or call +.Nm +as root. .Pp The mailbox is always locked using .Xr flock 2 |