January 31, 2024 1:29 PM, "Omar Polo" <op@omarpolo.com> wrote:

> 
> I really like this. I stopped the mda, changed the envelope in the
> queue to execute another mda as root, resumed and smtpd refused to run
> the mda. That's great!
> 

Yay, I don't know why I didn't come up with this idea earlier...


> I also don't see a reason to execute commands from root' ~/.forward
> file, as it is way better to just use another unprivileged user.
> 
> so, fwiw ok op@ :)
> 

Nice, hopefully at least millert@ and eric@ could comment on this too
because it touches such as critical part.

Also, I don't know if I still have a commit bit nor if I'm allowed to
commit or if someone else should commit it, so... :-)


> I'm looking forward to the next steps as well.
> 

This diff makes sure that root is only allowed to execute an mbox MDA
but the MDA command line is heap allocated by parse.y, and dispatcher
has a pointer to that buffer. So, theoretically, a corruption of that
buffer (that would be very hard to achieve) could allow to modify the
MDA command line so having a const command line for mbox and checking
that the root command line matches that const would make it even more
complex to bypass the MDA restriction.

I'll send a diff tonight hopefully