[Pkg-sympa-devel] Bug#868313: sympa: incorrect permissions for helper commands with opensmtpd

[Daniel ".koolfy" Faucon]

Package: sympa
Version: 6.2.16~dfsg-3
Severity: important


Hello,

When trying to run sympa with opensmtpd, I encountered some permission
issues.
When using aliases files to map for example

sympa  "| /usr/lib/sympa/bin/queue sympa at example.com"  

as opensmtpd runs these commands as its unpriviledged user
("opensmtpd"), these commands run with that UID, and therefore cannot
access various necessary files as the sympa.config file that is only
readable by the sympa user or root.

I have found that the best way to fix this issue would be to have all
the files deployed to /usr/lib/sympa/bin/* under sympa:root permissions,
but with SETUID set.

So I basically did:

chown sympa /var/lib/sympa/bin/*
chmod 4755 /var/lib/sympa/bin/*


There is one notable exception though, the binary
/var/lib/sympa/bin/sympa_newaliases-wrapper needs to run the newaliases
command, which needs root permissions.

So that particular file will also neet the Setuid set, but be owned by
root:root instead of sympa:root, for this very reason.

Opensmtpd does not actually need to run the newalias command, but other
MTAs will, and even if I didn't check for myself, I suspect other MTAs
will attempt to run the /var/lib/sympa/bin commands as unpriviledged
users and run into the same problems opensmtpd did, therefore needing
these setuid set.


The code and actions of sympa_newaliases-wrapper seem benine enough that
we could allow it to have the root setuid, but maybe a closer inspection
would be needed by someone more familiar than me with its mechanics.

https://github.com/sympa-community/sympa/blob/master/src/libexec/sympa_newaliases-wrapper.c

As is, this proposed solution is the best, simplest ans safest I could
come up with.

hope this helps :)