Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
fetchmail wont work with maildrop unless it's setuid[SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Skotlex
Apprentice
Apprentice


Joined: 13 Mar 2004
Posts: 291

PostPosted: Wed May 31, 2017 1:44 pm    Post subject: fetchmail wont work with maildrop unless it's setuid[SOLVED] Reply with quote

I used to have a simple fetchmail+maildrop system in place to retrieve my emails without having the mail client opened, and it worked fine for a long time until Gentoo's maildrop package decided to no longer install setuid. This was many, many months ago, and back then I solved it by just doing a "chmod +s /usr/bin/maildrop". Recently I rebuilt world and bumped into this problem again, and wondered if there isn't a better solution to get these two working together (I mean, if Gentoo packages maildrop not setuid, it must be for a good reason)?

Fetchmailrc
Code:

# Configuration created Wed Sep 18 12:13:34 2002 by fetchmailconf
set postmaster "<>"
set bouncemail
set daemon 30
set no spambounce

poll imap.gmail.com
        proto imap
        service 993
        user "<>"
        pass "<>"
        ssl
        is <user>
        limit 0
        mda "/usr/bin/maildrop -d %T"
        fetchall


Last edited by Skotlex on Fri Jun 02, 2017 2:52 am; edited 1 time in total
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Wed May 31, 2017 6:57 pm    Post subject: Reply with quote

Maildrop is a mail delivery agent. I've not used it before as I've been using procmail.

Anyway it seems that delivering mail could deliver to arbitrary users. As writing to other peoples' mailboxes require permissions, this necessarily requires root. However in your case, writing to your own mailbox should not need root access and thus suid root is superfluous.

What error does it report when it's not suid root, perhaps that's the clue on how to fix it... Are you using mbox? Is the directory /var/spool/mail accessible to you as your unprivileged user (mode 1777)?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Skotlex
Apprentice
Apprentice


Joined: 13 Mar 2004
Posts: 291

PostPosted: Thu Jun 01, 2017 3:35 am    Post subject: Reply with quote

Well, even in a mono-user environment, Linux is designed to run processes from multiple users. Since I run fetchmail at system startup, it runs as the fetchmail user, so it does need to send email to a different user. When procmail is not setuid, it prints an error on invocation that it was unable to set its user/group:

Code:

/usr/bin/maildrop: Cannot set my user or group id.


So.... if the maildrop command is supposed to change its user/group, why it isn't installed setuid, what is supposed to be the right way to invoke it? Maybe I shouldn't worry about it and just make it setuid anyway?
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7051
Location: almost Mile High in the USA

PostPosted: Thu Jun 01, 2017 3:46 am    Post subject: Reply with quote

Ah I thought you were running it as the individual user instead of part of a system daemon.

I'm not sure how fetchmail could change to its fetchmail user when running as a system daemon... it has to be able to deliver in which it needs to be root or the user to write to the mailboxes... something doesn't seem right.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Thu Jun 01, 2017 6:27 pm    Post subject: Reply with quote

How 'bout using both, user and group permissions?
Also, there are ACLs too, so a single file can have multiple owners. I don't particularly like this idea, but it could be a solution to some problems.
Setting permissions on user's mail directory to 6770 would probably do the trick (together with setting correct owner, group, and assigning correct group to user or mailer).
Back to top
View user's profile Send private message
Skotlex
Apprentice
Apprentice


Joined: 13 Mar 2004
Posts: 291

PostPosted: Fri Jun 02, 2017 2:16 am    Post subject: Reply with quote

The main problem is maildrop being unable to set the correct user ID to deliver the mail to the user's mailbox. According to the manual:

Quote:

-d user
Run maildrop in delivery mode for this user ID.

The system administrator may optionally restrict the -d option to be available to the mail system only, so it may not be available to you.
In all cases, the -d option is allowed if user is the same user who is running maildrop. Also, for the -d option to work at all, maildrop
must be executed by root, or maildrop must be a root-owned program with the setuid bit set. Absence of a filename on maildrop's command
line implies the -d option for the user running maildrop.


So, if the fetchmail user invokes maildrop -T (as I do on my fetchmailrc file), then dropmail should be set UID. Apparently the way Gentoo packages dropmail, it isn't meant to be used with the "-d" argument, so it expects users to run the program locally, not system-wide? Though I do wonder why can't dropmail have a "setuid" use flag for people who need to use it that way?

Maybe I'll just make my own overlay and add an setuid flag for future-proofing my system for the next rebuild.

On the other hand, a permission-based solution would, maybe, be about setting the maildir (~/.maildir) to be owned by user:fetchmail, so that the fetchmail daemon can write to it when invoking sendmail. I'll play a bit with that, though I suspect the right solution to my issue is to just install maildrop setuid.

EDIT: Okay, I checked the maildrop ebuild and I can actually make it set the binary setuid, but I have to enable the "authlib" use flag for that. Why do I need "net-libs/courier-authlib" when a setuid was enough to make my maildrop work? Who knows, but I suppose that's the Gentoo way to solve my issue :S
EDIT2: And okay again, it turns out that just setuid dropmail might be considered a security risk because with authlib I can't use dropmail just like that, I get
Code:

ERR: authdaemon: s_connect() failed: No such file or directory
/usr/bin/maildrop: Temporary authentication failure.


So I need to setup something else and configure it to give proper authentification. ._. Time to read up on courier-authlib and how to set it up, but I don't want postgres or mysql backends for a non-mail-server machine. >_<

EDIT3: So I fixed that by just starting /etc/init.d/courier-authlib, but I am not sure how I feel about having to run an extra service just to be able to receive emails. I don't even know what it does since I didn't have to touch any configurations nor setup any permissions on maildrop :O

Oh well, I guess that was a "just keep hitting things until it works" solution without actually fully understanding what the solution entails. X_X
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum