Re: [SOLVED] Re: [gentoo-user] msmtp vs. nullmailer

[Marc Joliet]

Am Mon, 20 Jul 2015 10:23:30 -0400
schrieb "Walter Dnes" :

> On Mon, Jul 20, 2015 at 01:21:56PM +0200, Marc Joliet wrote
> 
> > This choice came about because I switched from fcron to systemd-cron,
> > which runs its mail_on_failure script as user "nobody", which caused
> > my current "passwordeval" command ("cat somefile", somefile having
> > a mode mask of 0600)
> 
>   That is the wrong, wrong, wrong way to do it.

I know, it somewhat defeats the purpose.  In my defense, it was supposed to be
temporary so that I could get msmtp working quickly until I was sure that I
wanted to keep it.

> > to fail due to insufficient access rights.  I really didn't want to
> > deal with how to properly solve that, and I don't think it's possible
> > (at least not with msmtp).  I mean, the problem statement is
> > basically "How do I securely give every user access to the password?".
> > Once stated that way, I think the difficulty with the problem becomes
> > fairly obvious.
> 
>   The correct question is "how do I allow user 'nobody' to execute a
> one-off command as another user.

My thought was admittedly somewhat academic:  I didn't want to assume that only
root and nobody wanted to send emails.  However, I notice that the only
software I have installed that needs to be able to send email is (insofar that
there aren't any packages missing a dependency on virtual/mta or virtual/mailx):

- portage (though only if you configure it appropriately)
- smartd (via the "mail" program instead of sendmail)
- *cron
- sudo (though I don't know under what circumstances and as what user, though I
  expect it to send emails as root)

All run as root except for *cron, which in the case of systemd-cron sends mails
as "nobody" (I don't remember how fcron or any of the other implementations do
it).

So from a practical point of view, you are right that the problem was limited
to dealing with user "nobody".  Though who knows what will happen after an
upgrade or package migration?  Despite being a Gentoo user, I'm not interested
in micromanaging *every* aspect of my system (only the fun parts).

> The solution is sudoers.  Emerge sudo
> and set up a file in /etc/sudoers.d.  I use /etc/sudoers.d/001 because
> I'm not creative with filenames.  Here is an example entry...
> 
> waltdnes  d531 = (root) NOPASSWD: /usr/sbin/hibernate
> 
>   The explanation...
> 
> waltdnes(the user being allowed to run the command)
> d531(the machine name in /etc/hosts)
> (root)  (the user privilege to run as)
> NOPASSWD:   (password is not required; no ugly "cat somefile" hack)
> /usr/sbin/hibernate (the command to run)
> 
>   As regular user "waltdnes", I execute the command...
> 
> sudo /usr/sbin/hibernate
> 
> ...and I get the system to hibernate, which normally requires root level
> privileges.  I'm lazy, so I set up a script ~/bin/hb that runs the above
> command.  I only have to execute "hb" to hibernate.  This approach is
> very granular, because it can be set up to allow one user to execute one
> specifc command.  If you wish, you can use wildcards, and the special
> "ALL" word to open up privileges more widely.

I actually know about this and have a wildcard rule for cpupower.  I agree with
Mick's point, though, which partially ties into *my* point: I want to limit
access to the password (file) to as few users as possible, and "nobody" is used
as a catch-all, so I wouldn't fully know *what* exactly I'm giving access to my
email account password.

I just didn't see any sane way to handle this with msmtp, which to me seems
more and more like it's primarily designed for use by regular users as
opposed to system services (various hints point to this, such as that the
system-wide example [0] only defines a default account without a password, or
the Gentoo package description I mentioned before).

Anyway, I'm happy with nullmailer right now.

[0] http://msmtp.sourceforge.net/doc/msmtp.html#A-system-wide-configuration-file
-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup


pgpzbIzcAP8FR.pgp
Description: Digitale Signatur von OpenPGP

Re: [SOLVED] Re: [gentoo-user] msmtp vs. nullmailer

[Alan McKinnon]

On 21/07/2015 00:24, Mick wrote:
> On Monday 20 Jul 2015 22:50:31 Walter Dnes wrote:
>> On Mon, Jul 20, 2015 at 06:49:00PM +0100, Mick wrote
>>
>>> This is all good and dandy, but letting user "nobody" read your
>>> mail accoutn passwd may not be the safest approach to sending email
>>> messages from your machine.
>>
>>   I think you missed the point.  The "NOPASSWD:" option means that this
>> one particular user "nobody" ***DOES NOT NEED THE ROOT PASSWORD*** to
>> execute this one particular command which normally requires "root" level
>> privileges.  I repeat, it has no need for the password.  
> 
> I have not missed the point you are raising.  My concern was that "nobody" is 
> a user account without a login shell, to which you give access to a user file 
> that has a login shell and in particular to a file that contains the email 
> account passwd of that user.
> 
> Given that public servers and daemons often run as nobody:nogroup I would be 
> cautious about this.  I do not have an exact script in mind which could 
> potentially cause privilege escalation, but someone more skilled that I in 
> the 
> dark arts could well do.
> 


The main danger in that scenario (there are several) is that the shell
script can be suspended (Ctrl-Z) or offer a means to escape to a shell.
Do that, be root.

A good rule of thumb is to only put compiled programs into sudoers,
never scripts or wrappers. It is very very hard to write a script that
disables all those nasty features that made scripts so useful and friendly

-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [SOLVED] Re: [gentoo-user] msmtp vs. nullmailer

[Alan McKinnon]

On 20/07/2015 23:50, Walter Dnes wrote:
> On Mon, Jul 20, 2015 at 06:49:00PM +0100, Mick wrote


[snip]

>   You can tell it to run a script that contains that command.  Having
> passwords floating around on disk in clear text is a *BAD* idea.  Some
> "user friendly distros", like Ubuntu, let you run *ANY* command as root
> if you prefix it with "sudo".  That can be done with the keyword "ALL"
> 
> michael michaelsmachine = (root) NOPASSWD: ALL

[snip]

Lets be fair to Ubuntu - the above is not how it ships. On Ubuntu, all
users in the "admin" group can run any command with sudo, and sudoers
ships with a cpnfig that *requires* the user's password. This is a very
normal config and an excellent starting point. The first user added
during the install is added to the admin group (as obviously it is root
doing the installation), all other users must be added to the group by
root manually.

What you describe is most certainly not how Ubuntu ships (but idiots who
will do it, or follow howtos that say to do it, do exist)


-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [SOLVED] Re: [gentoo-user] msmtp vs. nullmailer

[Mick]

On Monday 20 Jul 2015 22:50:31 Walter Dnes wrote:
> On Mon, Jul 20, 2015 at 06:49:00PM +0100, Mick wrote
> 
> > This is all good and dandy, but letting user "nobody" read your
> > mail accoutn passwd may not be the safest approach to sending email
> > messages from your machine.
> 
>   I think you missed the point.  The "NOPASSWD:" option means that this
> one particular user "nobody" ***DOES NOT NEED THE ROOT PASSWORD*** to
> execute this one particular command which normally requires "root" level
> privileges.  I repeat, it has no need for the password.  

I have not missed the point you are raising.  My concern was that "nobody" is 
a user account without a login shell, to which you give access to a user file 
that has a login shell and in particular to a file that contains the email 
account passwd of that user.

Given that public servers and daemons often run as nobody:nogroup I would be 
cautious about this.  I do not have an exact script in mind which could 
potentially cause privilege escalation, but someone more skilled that I in the 
dark arts could well do.

-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [SOLVED] Re: [gentoo-user] msmtp vs. nullmailer

[Walter Dnes]

On Mon, Jul 20, 2015 at 06:49:00PM +0100, Mick wrote

> This is all good and dandy, but letting user "nobody" read your
> mail accoutn passwd may not be the safest approach to sending email
> messages from your machine.

  I think you missed the point.  The "NOPASSWD:" option means that this
one particular user "nobody" ***DOES NOT NEED THE ROOT PASSWORD*** to
execute this one particular command which normally requires "root" level
privileges.  I repeat, it has no need for the password.  This is done
with a sudoers entry like the following example.

michael michaelsmachine = (root) NOPASSWD: /usr/sbin/nullmailer

  The only problem might be convincing your program that the mail
command is...

sudo /usr/sbin/nullmailer

  You can tell it to run a script that contains that command.  Having
passwords floating around on disk in clear text is a *BAD* idea.  Some
"user friendly distros", like Ubuntu, let you run *ANY* command as root
if you prefix it with "sudo".  That can be done with the keyword "ALL"

michael michaelsmachine = (root) NOPASSWD: ALL

  I do not like it on general principle.  It gives away the store as far
as security is concerned.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [SOLVED] Re: [gentoo-user] msmtp vs. nullmailer

[Mick]

On Monday 20 Jul 2015 15:23:30 Walter Dnes wrote:
> On Mon, Jul 20, 2015 at 01:21:56PM +0200, Marc Joliet wrote
> 
> > This choice came about because I switched from fcron to systemd-cron,
> > which runs its mail_on_failure script as user "nobody", which caused
> > my current "passwordeval" command ("cat somefile", somefile having
> > a mode mask of 0600)
> 
>   That is the wrong, wrong, wrong way to do it.
> 
> > to fail due to insufficient access rights.  I really didn't want to
> > deal with how to properly solve that, and I don't think it's possible
> > (at least not with msmtp).  I mean, the problem statement is
> > basically "How do I securely give every user access to the password?".
> > Once stated that way, I think the difficulty with the problem becomes
> > fairly obvious.
> 
>   The correct question is "how do I allow user 'nobody' to execute a
> one-off command as another user.  The solution is sudoers.  Emerge sudo
> and set up a file in /etc/sudoers.d.  I use /etc/sudoers.d/001 because
> I'm not creative with filenames.  Here is an example entry...
> 
> waltdnes  d531 = (root) NOPASSWD: /usr/sbin/hibernate
> 
>   The explanation...
> 
> waltdnes(the user being allowed to run the command)
> d531(the machine name in /etc/hosts)
> (root)  (the user privilege to run as)
> NOPASSWD:   (password is not required; no ugly "cat somefile" hack)
> /usr/sbin/hibernate (the command to run)
> 
>   As regular user "waltdnes", I execute the command...
> 
> sudo /usr/sbin/hibernate
> 
> ...and I get the system to hibernate, which normally requires root level
> privileges.  I'm lazy, so I set up a script ~/bin/hb that runs the above
> command.  I only have to execute "hb" to hibernate.  This approach is
> very granular, because it can be set up to allow one user to execute one
> specifc command.  If you wish, you can use wildcards, and the special
> "ALL" word to open up privileges more widely.

This is all good and dandy, but letting user "nobody" read your mail accoutn 
passwd may not be the safest approach to sending email messages from your 
machine.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [SOLVED] Re: [gentoo-user] msmtp vs. nullmailer

[Walter Dnes]

On Mon, Jul 20, 2015 at 01:21:56PM +0200, Marc Joliet wrote

> This choice came about because I switched from fcron to systemd-cron,
> which runs its mail_on_failure script as user "nobody", which caused
> my current "passwordeval" command ("cat somefile", somefile having
> a mode mask of 0600)

  That is the wrong, wrong, wrong way to do it.

> to fail due to insufficient access rights.  I really didn't want to
> deal with how to properly solve that, and I don't think it's possible
> (at least not with msmtp).  I mean, the problem statement is
> basically "How do I securely give every user access to the password?".
> Once stated that way, I think the difficulty with the problem becomes
> fairly obvious.

  The correct question is "how do I allow user 'nobody' to execute a
one-off command as another user.  The solution is sudoers.  Emerge sudo
and set up a file in /etc/sudoers.d.  I use /etc/sudoers.d/001 because
I'm not creative with filenames.  Here is an example entry...

waltdnes  d531 = (root) NOPASSWD: /usr/sbin/hibernate

  The explanation...

waltdnes(the user being allowed to run the command)
d531(the machine name in /etc/hosts)
(root)  (the user privilege to run as)
NOPASSWD:   (password is not required; no ugly "cat somefile" hack)
/usr/sbin/hibernate (the command to run)

  As regular user "waltdnes", I execute the command...

sudo /usr/sbin/hibernate

...and I get the system to hibernate, which normally requires root level
privileges.  I'm lazy, so I set up a script ~/bin/hb that runs the above
command.  I only have to execute "hb" to hibernate.  This approach is
very granular, because it can be set up to allow one user to execute one
specifc command.  If you wish, you can use wildcards, and the special
"ALL" word to open up privileges more widely.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

[SOLVED] Re: [gentoo-user] msmtp vs. nullmailer

[Marc Joliet]

OK, I finally solved this, albeit a bit differently... by switching to
nullmailer.

The TL/DR summary is: use the right tool for the job.  Some more details follow
below.

Nullmailer was very easy to set up (the deceptively short HOWTO is pretty much
all that is needed).  The only problem is that there is no way to rewrite the
envelope sender, which is required by my email provider.  I solved that...
creatively. *However* the master branch contains a change that introduces the
"allmailfrom" control file [0], so once version 1.14 is out I can remove the
hack.

This choice came about because I switched from fcron to systemd-cron, which
runs its mail_on_failure script as user "nobody", which caused my current
"passwordeval" command ("cat somefile", somefile having a mode mask of 0600) to
fail due to insufficient access rights.  I really didn't want to deal with how
to properly solve that, and I don't think it's possible (at least not with
msmtp).  I mean, the problem statement is basically "How do I securely give
every user access to the password?".  Once stated that way, I think the
difficulty with the problem becomes fairly obvious.

With nullmailer the remotes file is 0640, with group nullmailer, so only root
or nullmailer can access it.  It's also simple enough that I simply didn't add
it to git.  So the password is in plain text, but access is strictly limited.

But really, I *should* have been tipped off by the package description:  "An
SMTP client and SMTP plugin for mail user agents such as Mutt".  The above
problem simply doesn't exist when running msmtp as a normal user (in which case
you probably don't even have an /etc/msmtprc).

[0]
https://github.com/bruceg/nullmailer/commit/da55b71b6136bcefc7aa784a7f9fd45987670a7a
-- 
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup


pgpEvOZMu7xHY.pgp
Description: Digitale Signatur von OpenPGP

Re: [gentoo-user] msmtp vs. nullmailer

[Mick]

On Monday 08 Jun 2015 23:45:36 Walter Dnes wrote:
> On Mon, Jun 08, 2015 at 11:47:04AM +0200, Marc Joliet wrote
> 
> > So my question is: what is your preference, nullmailer or msmtp
> > (or neither?), and why?
> 
>   I'm still using ssmtp.  It still works.  I look at it this way...
> there's no more development being done, because it's already perfect
> .  It'll go into background mode if an email is sent, and the
> receiving MTA doesn't accept within approx 45 seconds or so.

It doesn't work for all cases.  If you use symbols in your email password the 
login fails.  I tried escaping them, but have not been successful and found 
that it is a bug.

 
>   I also like the fact that there's one config file.  

Well, there' also the revaliases file.


>   My dialup script
> (emergency backup when ADSL is down) runs su to copy over the ssmtp.conf
> file with the dialup ISP's MTA.  When I sign off, the "dialdown" script
> runs su to copy over the ssmtp.conf file with the ADSL ISP's MTA.

-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] msmtp vs. nullmailer

[Walter Dnes]

On Mon, Jun 08, 2015 at 11:47:04AM +0200, Marc Joliet wrote

> So my question is: what is your preference, nullmailer or msmtp
> (or neither?), and why?

  I'm still using ssmtp.  It still works.  I look at it this way...
there's no more development being done, because it's already perfect
.  It'll go into background mode if an email is sent, and the
receiving MTA doesn't accept within approx 45 seconds or so.

  I also like the fact that there's one config file.  My dialup script
(emergency backup when ADSL is down) runs su to copy over the ssmtp.conf
file with the dialup ISP's MTA.  When I sign off, the "dialdown" script
runs su to copy over the ssmtp.conf file with the ADSL ISP's MTA.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] msmtp vs. nullmailer

[Guy-Laurent Subri]

Hi, I like to use msmtp. I actually never tried nullmailer, but msmtp
seemd a great choice. For the queue "issue" I can redirect you to a
document created by a Gentoo dev on mutt [0].

Guy-Laurent Subri

[0] https://dev.gentoo.org/~tomka/mail.html
On Mon, Jun 08, 2015 at 11:47:04AM +0200, Marc Joliet wrote:

Hi list,

As part of removing now superfluous server functionality on my desktop, I
replaced postfix with msmtp (and removed a bunch of other software).  However,
the portage default for virtual/mta is nullmailer.  (I also switched my laptop
from ssmtp to msmtp since ssmtp upstream has long been dead and has thus fallen
out of favour with Gentoo devs [0].)

Now, my reasoning for choosing msmtp was that development seemed more active.
The last release of nullmailer was in 2013, while msmtp has had a release or
two this year already.  However, the nullmailer repository [1] has shown a bit
of activity since the last release, though it looks fairly minor to me.

However, the one thing that annoys me is that msmtp does not seem to have any
sort of queue [2], so if it can't deliver an email, it must be resent, which is
annoying for system emails.  Now, I read that nullmailer has a queue (at both
[2] and [3]).

So my question is: what is your preference, nullmailer or msmtp (or neither?),
and why?  Is there anything that speaks against nullmailer, other than its
(seemingly) slow development?

[0] https://bugs.gentoo.org/show_bug.cgi?id=450812
[1] https://github.com/bruceg/nullmailer/commits/master
[2] http://sourceforge.net/p/msmtp/mailman/message/649420/
[3] http://www.troubleshooters.com/linux/nullmailer/

--
Marc Joliet
--
"People who think they know everything really annoy those of us who know we
don't" - Bjarne Stroustrup