There wouldn't be any security problem... since qmail-inject is not setuid,
users would have the same privileges and could do the same thing themselves if
they so desired. That was not my point.
qmail-inject is called by the sendmail wrapper. Using XMIT, qpopper calls
sendmail, or in this case, the wrapper (XMIT comes in handy for user
authentication with eudora for sending mail). qpopper sets the user to the
person logging in, and the group to mail, but it leaves the user environment
(usually the calling user would be root) untouched. You then have a user
sending mail with uid <user_id>, gid mail, and USER and LOGNAME variables of
'root'. This is where my point comes into play -- qmail-inject checks
environment variables _only_, and finds root. The message is then sent out
with a return-path of [EMAIL PROTECTED], and any bounced messages are sent to
root, and _not_ to the actual sender. Some broken mail clients even use the
return-path for replying to mail, ignoring the inserted "From:" header.
I have two choices in this case:
1. i can modify qpopper (again) and add a calling argument of '-f
<user>', or change the USER variable after setuid().
2. i can modify qmail-inject to check the user itself if it finds no
QMAILUSER (and perhaps MAILUSER) variable(s).
The second option will probably help more in the long run, though the first
does certainly improve qpopper's style.
Based on some short tests, cuserid() seems to work improperly on some platforms
(i.e. irix), so getpwuid(getuid())->pw_name would be the (portable) way to go.
Again, if anyone has any serious reasons why changing this is a bad idea,
please let me know.
ari
[EMAIL PROTECTED] said this stuff:
> On Wed, Feb 23, 2000 at 04:23:33PM -0500, ari wrote:
> > Is there any particular reason that qmail-inject uses env_get("*USER") instead
> > of getuid and getpwuid (or just cuserid)?
> >
> > If anyone is familiar with qualcomm qpopper (2.53, at least), using POP-send
> > changes the UID to the proper user and the GID to mail, but leaves the
> > environment as root's. Under sendmail this is not a problem, but since
> > qmail-inject uses the environment alone, all messages end up with a return-path
> > of root.
> >
> > If no one has a good reason that i should leave it alone, please let me know.
>
>
> When will you be able to inject mail via the POP protocol?
> qmail-inject is only used for local injection.
>
> You can do the exact same thing on the command line:
>
> /var/qmail/bin/qmail-inject -f root
>
> What is the security problem here?
>
> http://www.nrg4u.com/qmail/the-big-qmail-picture-103-p1.gif
>
> /magnus
>
> --
> http://x42.com/
--
.------------------------Ari Edelkind--------------------------.
Unix Systems and Network Administrator [EMAIL PROTECTED]
Public Health Research Institute (212) Phone: 578 0822
New York, NY [USA] Fax : 576 8442
`--------------------------------------------------------------'
