On Tue, 05 Nov 2019 at 10:02:23 -0500, Simon Deziel wrote:
> On 2019-11-05 9:29 a.m., Jakub Wilk wrote:
> > If /etc/msmtprc is readable by group msmtp (as suggested in
> > README.Debian), any user can acquire password from that file
> 
> Nice catch! Having /etc/msmtprc group readable is AFAIK, a "debianism".
> I don't know if upstream endorses this method of restricting access
> to the default account's password.

Even if this specific attack did not exist, if msmtp is not specifically
designed to be safe to use with elevated privileges, then I think it's
a security-significant, Debian-specific bug to be making it setgid
in Debian.

Privileged (setuid/setgid/setcap) executables need to be written in a
defensive/paranoid way. They have to be specifically designed to distrust
their whole execution environment - environment variables, command-line
options, resource limits and so on - and every library they are linked
to needs to be specifically designed to do the same. Otherwise, there is
often a way for an attacker to trick the process into executing arbitrary
code with its elevated privileges, which gives the attacker access to
those elevated privileges. Please see
<https://dwheeler.com/secure-programs/Secure-Programs-HOWTO.html> for
a lot more information on this topic.

In this case, the elevated privilege is the ability to read files that
are 0640 root:msmtp, such as /etc/msmtprc in the configuration suggested
by Debian-specific documentation in this package.

This came to my attention because I was recently involved in hardening
GLib so that it is more difficult to use as an attack vector to get
elevated privileges like this. This made GLib distrust environment
variables, which ended up breaking msmtp's support for retrieving
passwords from libsecret
(see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981420#59>,
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981420#71>).
Note that GLib is not really designed to be used in processes that run
with elevated privileges, so the GLib upstream maintainers consider this
to be security hardening to mitigate it being used in an unsafe way,
rather than a fix for a vulnerability in GLib.

For now, GLib upstream has partially reverted that change, weakening the
security hardening in order to fix the regression, and I'm going to do
the same in Debian. This should stop msmtp from regressing in terms of
which features work, but I cannot guarantee that it does not make msmtp
exploitable. If I find a concrete attack, I will report it privately to
the security team.

I would recommend removing the setgid support from msmtp, and recommending
that people who want a system-wide authenticating MTA whose credentials
are not disclosed to unprivileged users should be using a fully-featured
MTA that was designed to act as a security boundary, like Exim or Postfix.

msmtp's design is fine for simpler use-cases where the process sending
email is allowed to have enough privileges to know the password, but it
does not seem to be designed to be used as a security boundary, which
means it is dangerous for Debian-specific changes to make it into a
security boundary.

Thanks,
    smcv

Reply via email to