Index | Thread | Search

From:
gilles@poolp.org
Subject:
Re: smtpd: disallow custom mda for root deliveries
To:
tech@openbsd.org
Date:
Wed, 31 Jan 2024 10:53:49 +0000

Download raw body.

Thread 
January 29, 2024 11:10 PM, gilles@poolp.org wrote:

> Hello,
> 
> After investigating a user bug, I figured that there's a small change that could make OpenSMTPD
> far more resistant to privileges escalation when a bug happens.
> 
> OpenSMTPD only accepts mail deliveries to root with mbox MDA because OpenBSD expects root to be
> able to receive mail out of the box on a new install for the welcome mail as well as the daily,
> weekly and monthly mail... but if you try to deliver to root with another MDA, say maildir, you
> will be greeted with an error forcing you to forward root mail to an unprivileged user.
> 
> However, root is still allowed to use forward files and these allow to plug alternate MDA which
> are executed with the user permission (root here), so basically root can workaround restriction
> by executing maildir within a forward file.
> 
> I don't think there's any good reason for root to plug commands in a forward file, nor is there
> any good reason for smtpd to execute root commands from a forward file. By preventing root from
> using commands in forward files, we can make smtpd's MDA execution more tight: if you are root,
> and the mda is not "mail.local", do not execute the mda.
> 
> Why prevent root from shooting itself in the foot with a bad decision ?
> 
> It also raises the bar for attacks and makes it much more complicated for attackers to inject a
> custom command in an envelope in hope it gets executed by root even if they've obtained control
> of the queue process somehow.
> 
> I believe, this would have prevented the root escalation exploit that happened 5 years ago.
> 
> The diff below:
> 
> a- forbids the inclusion of a filename or command in a privileged user's .forward
> b- disallow execution of an MDA that's not mbox for privileged users with no override possible,
> be it from an mda wrapper or a .forward (second later check, just in case).
> 
> You can still add addresses or users in root's forward file.
> 
> This could still be abused if someone managed to corrupt memory enough that the dispatcher will
> have its default command point to another one, but if this gets in I'll craft another diff that
> will perform a literal const check for root's mbox MDA killing the remaining potential.
> 
> Tested on my laptop but could use some more testing.
> 
> Opinion ?
> 

ping !