[ On Fri, August 7, 1998 at 08:04:53 (-0400), Todd Vierling wrote: ]
> Subject: Re: procmail package?
>
> On Fri, 7 Aug 1998, matthew green wrote:
> 
> : why does the procmail package install, by default, as setuid root?  this
> : is insecure even if procmail is supposedly OK :)
> 
> It's a MDA, and can function as a replacement for mail.local.  It has to be
> able to setuid() to the destination user in order to write to that user's
> mailbox securely (and on systems where /var/mail is mode 755, in order to
> create a nonexistent mailbox).

The operative word is "can".

I don't know what the statistics are, but I'd bet that a large number of
procmail users simply invoke it directly from their own ~/.forward files
(or the equivalent).  For cases where procmail is used as a system MDA
some mailers can invoke it as the target user.  Neither of these usages
require an MDA be setuid-anything.

Even more silly is the fact that if any MDA is merely setgid to some
group that owns and has write permission to all files in /var/mail, and
of course that all mailboxes in /var/mail are pre-created, then it is
not necessary to use setuid-root for final mail spool file delivery at all.

Finally, though I cannot vouch for the current status of the latest
greatest version of procmail, I can attest to the fact that I've
received many bounces from people who have managed to cause at least
some versions of it to dump core simply by incorrectly configuring their
~/.procmailrc files, and I certainly wouldn't trust those versions
within a million miles of being setuid-root.

-- 
							Greg A. Woods

+1 416 443-1734      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>