Bug#581739: permission check on .forward files ignores user private groups
On Sun, May 16, 2010 at 01:24:31PM +0200, Andreas Metzler wrote: > On 2010-05-15 Andreas Hemel wrote: > > Package: exim4 > > Version: 4.71-4 > > Severity: normal > > > According to bug #581434 the default umask on new installations will > > change from 022 to 002. Debian uses user private groups, meaning every > > user is in his own private group, that nobody else is a member of. > > Hello, > This is not entirely correct. Debian uses user private groups *by* > *default* but can also be set differently. Just take a look at the > .debian.org machines, they do not use UPGs (except for alioth): > > ametz...@merkel:~$ getent passwd ametzler > ametzler:x:2571:800:Andreas Metzler:/home/ametzler:/bin/bash > ametz...@merkel:~$ getent group 800 > Debian:x:800:cvs_boot > ametz...@merkel:~$ groups > Debian I'm not a DD, so I don't have access to those machines. The possibility to disable UPG is not directly relevant to the point I was trying to make here. I'm simply arguing that something like the following should work on a Debian system by default: $ echo "m...@example.com" > ~/.forward Currently, if the umask defaults to 002, this will prevent mail delivery and the user is in no way notified that there is a problem. > I could set > > modemask = 002 > > on the userforward router and make it overrideable by macro. Since we > already set check_local_user the modemask setting switches on > check_group. Exim will require that the .forward file is owned by the > users primary group. (This could introduce breakage on upgrades if > .forward is 0600 but owned by a different group delivery will break. IMHO the ideal solution would be to determine the applicable modemask based on whether the group owning the .forward is the private group of the user. That is, the user is the only member and the group name is identical to the user name. I realize this is probably not possible without patching exim, so I'm, for my part, happy with the solution you outlined above. Andreas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#581739: permission check on .forward files ignores user private groups
On 2010-05-15 Andreas Hemel wrote: > Package: exim4 > Version: 4.71-4 > Severity: normal > According to bug #581434 the default umask on new installations will > change from 022 to 002. Debian uses user private groups, meaning every > user is in his own private group, that nobody else is a member of. Hello, This is not entirely correct. Debian uses user private groups *by* *default* but can also be set differently. Just take a look at the .debian.org machines, they do not use UPGs (except for alioth): ametz...@merkel:~$ getent passwd ametzler ametzler:x:2571:800:Andreas Metzler:/home/ametzler:/bin/bash ametz...@merkel:~$ getent group 800 Debian:x:800:cvs_boot ametz...@merkel:~$ groups Debian > This change makes it easier to setup additional collaboration groups > without the need to bug all partaking users to change their umask. > For further details see #581434 and the discussion on debian-devel > [1]. > Exim checks the permission bits on user .forward files and refuses to > deliver any mail if the .forward file is group writable. It does not > check if the user is the only member in the group associated with the > .forward file. In that case setting the group writable bit is save. The > change of the default umask causes all .forward files created on new > installs to have the group writable bit set by default. > If Exim refuses to deliver mail because of this, the user is not (and > probably can not be) notified and the only way to find out why mail is > not deliviered is looking at the log files, to which a regular user does > not have access. > I've reproduced this problem with both 4.71-4 from unstable and > 4.71-2~bpo50+1 from lenny-backports. With the latter version I even > completly lost some system mail. I realize that bounces could not be > deliviered because both the receiver and sender were essentially the > same user (with the 'broken' .forward permissions), but I do not > understand why these mails were dropped instead of being frozen. I could set modemask = 002 on the userforward router and make it overrideable by macro. Since we already set check_local_user the modemask setting switches on check_group. Exim will require that the .forward file is owned by the users primary group. (This could introduce breakage on upgrades if .forward is 0600 but owned by a different group delivery will break. cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#581739: permission check on .forward files ignores user private groups
Package: exim4 Version: 4.71-4 Severity: normal According to bug #581434 the default umask on new installations will change from 022 to 002. Debian uses user private groups, meaning every user is in his own private group, that nobody else is a member of. This change makes it easier to setup additional collaboration groups without the need to bug all partaking users to change their umask. For further details see #581434 and the discussion on debian-devel [1]. Exim checks the permission bits on user .forward files and refuses to deliver any mail if the .forward file is group writable. It does not check if the user is the only member in the group associated with the .forward file. In that case setting the group writable bit is save. The change of the default umask causes all .forward files created on new installs to have the group writable bit set by default. If Exim refuses to deliver mail because of this, the user is not (and probably can not be) notified and the only way to find out why mail is not deliviered is looking at the log files, to which a regular user does not have access. I've reproduced this problem with both 4.71-4 from unstable and 4.71-2~bpo50+1 from lenny-backports. With the latter version I even completly lost some system mail. I realize that bounces could not be deliviered because both the receiver and sender were essentially the same user (with the 'broken' .forward permissions), but I do not understand why these mails were dropped instead of being frozen. [1] http://lists.debian.org/debian-devel/2010/05/msg00252.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
