[RndTbl] "washing" a fork/exec to force all groups

Gilbert Detillieux Gilbert.Detillieux at umanitoba.ca
Mon Apr 17 09:55:59 CDT 2023 

If you do resort to a wrapper of some sort, and don't want it to have 
full setuid-root privileges, you may be able to get by with just setting 
CAP_SETGID capability on the binary.  That's all that setgroups*(2) 
would need, if the man page is to be trusted.  (However, setting just 
that on the procmail binary may not be sufficient, if it's expecting 
more privileges than that.  But it would be worth a try.)

You may also just want to rethink the root problem (no pun intended). 
Do you really need secondary groups, or could a simple change to some 
file ownership and/or permissions accomplish the same thing?  Or 
changing the primary group on the affected user(s)?  Of course, those 
solutions could turn out to be worse than the problem, so YMMV.

Gilbert

On 2023-04-17 7:58 a.m., Adam Thompson wrote:
> Why: "security".  I don't recall the details, but I think I remember this change - quite a long time ago, and it never affected me.
> 
> The more general solution is broadly accepted to be: stop using procmail.  It's ancient, unmaintained code that doesn't meet modern <anything> standards.  Ask about procmail problems on any of the MTA mailing lists and you will be soundly and roundly flamed for still using it.
> 
> If you use Dovecot, you already have a full SIEVE implementation.  Of course procmail can do dangerous things that SIEVE refuses to do, but for most sane needs, it's IMHO far superior to .procmailrc syntax.  Much like switching from sendmail syntax to postfix syntax.  You might consider that a bug, not a feature, YMMV.
> 
> Penultimately, I think you want procmail to be setuid root, and invoke it with the "-d" flag.  It doesn't get installed setuid anymore because (see above) it's ancient, unmaintained, and believed to not be safe to invoke as root.
> 
> As to sudo, the usual solution is to put your users in a group and allow the group instead of the user.  You could "rootwash" procmail itself by using a wrapper script that sudo's procmail instead of having procmail sudo php.  You could theoretically have postfix invoke "sudo postfix" but that might be more trouble than it's worth.
> 
> If you don't have root on the box?  Just use .forward files.  First character on the first line is "|" = exactly what you're doing with procmail.  Wait, you still have the secondary group problem, so maybe SSH to localhost to get the grous back?  I'm not sure how to regain secondary groups without a root process adding them, sorry.
> -Adam
>   
> 
> -----Original Message-----
> From: Roundtable <roundtable-bounces at muug.ca> On Behalf Of Trevor Cordes
> Sent: Monday, April 17, 2023 3:52 AM
> To: MUUG RndTbl <roundtable at muug.ca>
> Subject: [RndTbl] "washing" a fork/exec to force all groups
> 
> Just ran into this:
> 
> https://stackoverflow.com/questions/8568596/procmail-disregards-etc-group#
> 
> Postfix is doing something before/while it calls procmail for local
> delivery which strips all but the primary group of the recipient.  This
> means any complicated pipe I have setup in procmail which relies on
> secondary groups fails with read perm errors.
> 
> Sendmail doesn't do this stupidity (yay)!  But I needed to (argh finally)
> use postfix on a box that needed 2 MTAs installed (and sendmail couldn't,
> in the end, do it properly).
> 
> I consider the current stackoverflow answer to be a non-answer because
> Fedora/RHEL doesn't install procmail setgid/setuid anymore, and I don't
> want to fudge u+s g+s on every dnf update!
> 
> I've solved the problem by "washing" the procmail piped-to command through
> sudo.  I had to add to sudoers:
> fooman	ALL=(fooman) NOPASSWD: /bin/php
> 
> and change my procmail recipe pipe to:
> | /bin/sudo -u fooman /bin/php /needs/secondary/groups/to/read.php
> 
> Ok great, it all works with postfix now just like it did with sendmail.
> 
> The tricky question for you uber *nix geeks is: Can I achieve the same
> thing without the sudoers entry?  In other words, is there a way to
> achieve this without root access, if someone didn't have root on the box,
> say.
> 
> Too bad sudo isn't smart enough to say "hey, user fooman can run anything
> as user fooman" without a specific entry.  Maybe an option for postfix?
> Maybe some magic sudo or su can do?
> 
> Is an option to procmail possible or is this a problem that can *only* be
> solved by washing the call, somewhere along the line, through a setuid
> program (because once stripped by postfix they are gone forever)?
> 
> I wonder why sendmail doesn't chop off the groups but postfix does.

-- 
Gilbert Detillieux          E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science            Web:    http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba      Phone:  204-474-8161
Winnipeg MB CANADA  R3T 2N2
For best CS dept. service, contact <cs-support at lists.umanitoba.ca>.

More information about the Roundtable mailing list