Re: OpenSMTPD: unprivileged mode - now with diff
On Sat, 23 May 2020 15:53:05 +0200, Christopher Zimmermann wrote: > Ok to commit the below change? OK millert@ - todd
Re: OpenSMTPD: unprivileged mode - now with diff
On Sun, Apr 26, 2020 at 08:55:14AM +, gil...@poolp.org wrote: April 26, 2020 10:34 AM, "Christopher Zimmermann" wrote: Hi, I further developed my approach to allow running smtpd with fewer privileges. This diff does two things: - always run lmtp deliveries as SMTPD_USER. The change to mda_unpriv.c is needed, because otherwise all mails would be delivered to SMTPD_USER. - add two internal flags NOPRIV and NEEDPRIV. NOPRIV can be configured by the simple directive "no-priv". NEEDPRIV gets set on all delivery methods / options requiring setuid() to run as the receipient user. A configuration error is produced on any conflict betweed NEEDPRIV and NOPRIV. In case of a NOPRIV run smtpd will drop root privileges. This will break .forward and alias filters. The change to the lmtp delivery has benefits even without the second change. With the second change my smtpd now runs without root privileges. The NEEDPRIV/NOPRIV options are meant to allow restricting of the privileges of other delivery methods. I am now looking for OKs on the first change to do unprivileged lmtp deliveries and feedback on the general approach of the second change. The LMTP change seems interesting to me, it means that a broken LMTP delivery will fail with _smtpd privileges instead of the (unprivileged) recipient user so I think it's a good move. Ok to commit the below change? Christopher Index: mda_unpriv.c === RCS file: /cvs/src/usr.sbin/smtpd/mda_unpriv.c,v retrieving revision 1.6 diff -u -p -r1.6 mda_unpriv.c --- mda_unpriv.c2 Feb 2020 22:13:48 - 1.6 +++ mda_unpriv.c23 May 2020 13:43:39 - @@ -69,8 +69,8 @@ mda_unpriv(struct dispatcher *dsp, struc xasprintf(_environ[idx++], "RECIPIENT=%s@%s", deliver->dest.user, deliver->dest.domain); xasprintf(_environ[idx++], "SHELL=/bin/sh"); xasprintf(_environ[idx++], "LOCAL=%s", deliver->rcpt.user); - xasprintf(_environ[idx++], "LOGNAME=%s", pw_name); - xasprintf(_environ[idx++], "USER=%s", pw_name); + xasprintf(_environ[idx++], "LOGNAME=%s", deliver->userinfo.username); + xasprintf(_environ[idx++], "USER=%s", deliver->userinfo.username); if (deliver->sender.user[0]) xasprintf(_environ[idx++], "SENDER=%s@%s", Index: parse.y === RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v retrieving revision 1.277 diff -u -p -r1.277 parse.y --- parse.y 24 Feb 2020 23:54:27 - 1.277 +++ parse.y 23 May 2020 13:43:40 - @@ -690,10 +690,12 @@ MBOX { | LMTP STRING { asprintf(>u.local.command, "/usr/libexec/mail.lmtp -d %s -u", $2); + dispatcher->u.local.user = SMTPD_USER; } dispatcher_local_options | LMTP STRING RCPT_TO { asprintf(>u.local.command, "/usr/libexec/mail.lmtp -d %s -r", $2); + dispatcher->u.local.user = SMTPD_USER; } dispatcher_local_options | MDA STRING { asprintf(>u.local.command, -- http://gmerlin.de OpenPGP: http://gmerlin.de/christopher.pub CB07 DA40 B0B6 571D 35E2 0DEF 87E2 92A7 13E5 DEE1
Re: OpenSMTPD: unprivileged mode - now with diff
Hello, Christopher On the right of a person who had successfully run rootless sendmail installations for many years, please find some comments below. On 2020-04-26 12:30, Christopher Zimmermann wrote: Thanks for giving it a thought. I'm not entirely convinced either. But believe some thought should be given to it. In your opinion would it be generaly a bad idea to try run smtpd without root privileges? What exectly will cease to work? - .forward and alias _filtering_ will break for sure. not necessarily. at least as long as users will have smtpd and their .forward and in the same group and you've documented it. also, .forward and authentication could be handled by a separate daemon bound to unix socket only, which won't listen to outside world. or even better, separate all the functions, that usually need root access to such daemon(s). the only thing was broken for me in sendmail's case, was mbox deliveries. but AFAIR, that was solved by having patched version of mail.local. -- With best regards, Gregory Edigarov
Re: OpenSMTPD: unprivileged mode - now with diff
On Sun, Apr 26, 2020 at 08:55:14AM +, gil...@poolp.org wrote: April 26, 2020 10:34 AM, "Christopher Zimmermann" wrote: - always run lmtp deliveries as SMTPD_USER. The change to mda_unpriv.c is needed, because otherwise all mails would be delivered to SMTPD_USER. - add two internal flags NOPRIV and NEEDPRIV. NOPRIV can be configured by the simple directive "no-priv". NEEDPRIV gets set on all delivery methods / options requiring setuid() to run as the receipient user. A configuration error is produced on any conflict betweed NEEDPRIV and NOPRIV. In case of a NOPRIV run smtpd will drop root privileges. This will break .forward and alias filters. Hi, thanks for your fast reply. The LMTP change seems interesting to me, it means that a broken LMTP delivery will fail with _smtpd privileges instead of the (unprivileged) recipient user so I think it's a good move. That's great. Is there anything that needs to change or be clarified before you can give an ok? I'm less convinced by the other change and it doesn't only break .forward and alias, it also breaks authentication, tables reloading, and probably stuff my mind is not yet awake enough to think of. Thanks for giving it a thought. I'm not entirely convinced either. But believe some thought should be given to it. In your opinion would it be generaly a bad idea to try run smtpd without root privileges? What exectly will cease to work? - .forward and alias _filtering_ will break for sure. Forwarding won't break. - Authentication: Authentication of system users will break. So I would mark auth without auth-table as need_priv() in parse.y. - tables reloading: this is a problem only for tables with restricted read permissions, isn't it? I could try to figure out whether it is a problem in parse.y and mark it as need_priv() if necessary, but one could also just document the no-priv option with its limitations. - other stuff: Can it be dealt with need_priv()? Will it lead to unpleasant surprises for users? The general idea is to allow running smtpd without root priviliges where possible and maybe try to change it to support running without root for more use-cases over time. Like try to pick the low-hanging fruits first. One less low-hanging fruits would be to integrate mail.lmtp(8) into smtpd and move other mail.* functionality into a privileged lmtpd daemon. This would remove those vulnerable mda-exec lines from the envelope files. That's just one idea how one could proceed. The current proposal is to start stripping privileges where possible. Christopher -- http://gmerlin.de OpenPGP: http://gmerlin.de/christopher.pub CB07 DA40 B0B6 571D 35E2 0DEF 87E2 92A7 13E5 DEE1
Re: OpenSMTPD: unprivileged mode - now with diff
April 26, 2020 10:34 AM, "Christopher Zimmermann" wrote: > Hi, > > I further developed my approach to allow running smtpd with fewer privileges. > This diff does two > things: > > - always run lmtp deliveries as SMTPD_USER. The change to mda_unpriv.c is > needed, because otherwise > all mails would be delivered to SMTPD_USER. > > - add two internal flags NOPRIV and NEEDPRIV. NOPRIV can be configured by the > simple directive > "no-priv". NEEDPRIV gets set on all delivery methods / options requiring > setuid() to run as the > receipient user. > A configuration error is produced on any conflict betweed NEEDPRIV and NOPRIV. > In case of a NOPRIV run smtpd will drop root privileges. > This will break .forward and alias filters. > > The change to the lmtp delivery has benefits even without the second change. > With the second change > my smtpd now runs without root privileges. > The NEEDPRIV/NOPRIV options are meant to allow restricting of the privileges > of other delivery > methods. > > I am now looking for OKs on the first change to do unprivileged lmtp > deliveries and feedback on the > general approach of the second change. > The LMTP change seems interesting to me, it means that a broken LMTP delivery will fail with _smtpd privileges instead of the (unprivileged) recipient user so I think it's a good move. I'm less convinced by the other change and it doesn't only break .forward and alias, it also breaks authentication, tables reloading, and probably stuff my mind is not yet awake enough to think of. > Index: mda_unpriv.c > === > RCS file: /cvs/src/usr.sbin/smtpd/mda_unpriv.c,v > retrieving revision 1.6 > diff -u -p -r1.6 mda_unpriv.c > --- mda_unpriv.c 2 Feb 2020 22:13:48 - 1.6 > +++ mda_unpriv.c 26 Apr 2020 05:27:34 - > @@ -69,8 +69,8 @@ mda_unpriv(struct dispatcher *dsp, struc > xasprintf(_environ[idx++], "RECIPIENT=%s@%s", deliver->dest.user, > deliver->dest.domain); > xasprintf(_environ[idx++], "SHELL=/bin/sh"); > xasprintf(_environ[idx++], "LOCAL=%s", deliver->rcpt.user); > - xasprintf(_environ[idx++], "LOGNAME=%s", pw_name); > - xasprintf(_environ[idx++], "USER=%s", pw_name); > + xasprintf(_environ[idx++], "LOGNAME=%s", deliver->userinfo.username); > + xasprintf(_environ[idx++], "USER=%s", deliver->userinfo.username); > if (deliver->sender.user[0]) > xasprintf(_environ[idx++], "SENDER=%s@%s", > Index: parse.y > === > RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v > retrieving revision 1.277 > diff -u -p -r1.277 parse.y > --- parse.y 24 Feb 2020 23:54:27 - 1.277 > +++ parse.y 26 Apr 2020 05:27:35 - > @@ -154,6 +154,7 @@ static int host_v4(struct listen_opts *) > static int host_v6(struct listen_opts *); > static int host_dns(struct listen_opts *); > static int interface(struct listen_opts *); > +static void need_priv(const char *); > int delaytonum(char *); > int is_if_in_group(const char *, const char *); > @@ -186,7 +187,7 @@ typedef struct { > %token KEY > %token LIMIT LISTEN LMTP LOCAL > %token MAIL_FROM MAILDIR MASK_SRC MASQUERADE MATCH MAX_MESSAGE_SIZE > MAX_DEFERRED MBOX MDA MTA MX > -%token NO_DSN NO_VERIFY NOOP > +%token NO_DSN NO_PRIV NO_VERIFY NOOP > %token ON > %token PHASE PKI PORT PROC PROC_EXEC PROXY_V2 > %token QUEUE QUIT > @@ -212,6 +213,7 @@ grammar : /* empty */ > | grammar ca '\n' > | grammar mda '\n' > | grammar mta '\n' > + | grammar privs '\n' > | grammar pki '\n' > | grammar proc '\n' > | grammar queue '\n' > @@ -379,6 +381,20 @@ MTA MAX_DEFERRED NUMBER { > ; > +privs: > +NO_PRIV { > + if (conf->sc_opts & SMTPD_OPT_NEEDPRIV) { > + yyerror("Unprivileged operation is not possible."); > + YYERROR; > + } > + else { > + log_warnx("Unprivileged operation requested."); > + conf->sc_opts |= SMTPD_OPT_NOPRIV; > + } > +} > +; > + > + > pki: > PKI STRING { > char buf[HOST_NAME_MAX+1]; > @@ -566,6 +582,8 @@ SRS KEY STRING { > dispatcher_local_option: > USER STRING { > + need_priv("with user"); > + > if (dispatcher->u.local.is_mbox) { > yyerror("user may not be specified for this dispatcher"); > YYERROR; > @@ -662,16 +680,20 @@ dispatcher_local_option dispatcher_local > dispatcher_local: > MBOX { > + need_priv("mbox"); > dispatcher->u.local.is_mbox = 1; > asprintf(>u.local.command, "/usr/libexec/mail.local -f > %%{mbox.from} -- > %%{user.username}"); > } dispatcher_local_options > | MAILDIR { > + need_priv("maildir"); > asprintf(>u.local.command, "/usr/libexec/mail.maildir"); > } dispatcher_local_options > | MAILDIR JUNK { > + need_priv("maildir"); > asprintf(>u.local.command, "/usr/libexec/mail.maildir -j"); > } dispatcher_local_options > | MAILDIR STRING { > + need_priv("maildir"); > if (strncmp($2, "~/", 2) == 0) > asprintf(>u.local.command, > "/usr/libexec/mail.maildir \"%%{user.directory}/%s\"", $2+2); > @@ -680,6 +702,7 @@ MBOX { > "/usr/libexec/mail.maildir \"%s\"", $2); > } dispatcher_local_options > | MAILDIR STRING