[OpenAFS] fetchmail / afs / segfault revisited
Charles Clancy
security@xauth.net
Sun, 17 Mar 2002 18:55:40 -0600 (CST)
> It turns out that the villain is now procmail. It cant seem to read my
> ~/.procmailrc for some reason so it must not have a token:
Isn't procmail intended to automatically process incoming mail? I've
never used it, but I believe that's what it's for. It can be run by
sendmail from a "|/path/to/procmail" in your .forward, correct? Or, are
you running it from the command line to process mail you've just fetched
(with fetchmail, I assume)?
In the first case, it wouldn't work at all, because sendmail doesn't have
access to your AFS token. The second case should work.
First thing I noticed is that procmail is by default installed setuid.
In several different places, I tries to setuid:
ismene:~/procmail-3.22/src> grep -in setuid *.c
lockfile.c:72: if(setuid(uid)||geteuid()!=uid) /* resist setuid
operation */
misc.c:83:/* On systems with `capabilities', setuid/setgid can fail for
root! */
misc.c:100: if(setuid(uid)) /* "This
cannot happen" */
procmail.c:498: setuid(uid); /* make sure we have
enough space */
setid.c:18:
if(initgroups(argv[1],p->pw_gid)||setgid(p->pw_gid)||setuid(p->pw_uid))
You might try removing it's attempts to change UID, and recompile.
An example of using pagsh to run procmail:
ismene:~> id
uid=100(tclancy) gid=100(clancy) groups=100(clancy)
ismene:~> pagsh -c /bin/tcsh
ismene:~> id
uid=100(tclancy) gid=100(clancy) groups=33536,32524,100(clancy)
ismene:~> klog
Password:
ismene:~> procmail -whatever -options ...
Notice the list of groups is longer -- which indicates you now have a PAG.
Then, when you do a klog to get a token that will be with all the child
processes of your shell, regardless of their attempts to setuid.
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]