You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2005/01/17 21:50:13 UTC
[Bug 4086] New: When run as nobody, child processess get root privileges
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
Summary: When run as nobody, child processess get root privileges
Product: Spamassassin
Version: 3.0.2
Platform: Macintosh
OS/Version: Mac OS X
Status: NEW
Severity: critical
Priority: P2
Component: Score Generation
AssignedTo: dev@spamassassin.apache.org
ReportedBy: brad@koehn.com
When I installed SA-3.0.2, I noticed the following when running ps xauww:
nobody 9845 0.0 3.3 108920 36344 ?? Ss 7:55AM 0:17.21 /usr/bin/spa
md -dcx --virtual-config-dir=/var/spamassassin/%u -i 10.0.1.253 -A 10.0.1.254 -u
nobody -r /var/run/spamd.pid
root 9854 0.0 6.0 112772 66908 ?? S 7:55AM 0:16.28 spamd child
root 9855 0.0 5.9 111752 66188 ?? S 7:55AM 0:12.65 spamd child
root 9856 0.0 6.0 111724 66412 ?? S 7:55AM 0:13.96 spamd child
root 9857 0.0 5.9 111696 65208 ?? S 7:55AM 0:10.44 spamd child
root 9858 0.0 5.9 111696 66264 ?? S 7:55AM 0:13.68 spamd child
Notice that the parent process is running as nobody like it's supposed to, but
all of the children are running as root. When it's first started, the child
processes run as nobody, but it seems that as they process messages they are
being promoted to run as root, and they stay that way.
Now if there are any security holes in SA or any plugins, they are exposed with
root access to my machine (running Mac OS X Server 10.3.7 with all patches
applied).
As far as I know SA-3.0.1 didn't do this on the same system.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
------- Additional Comments From jm@jmason.org 2005-02-07 12:01 -------
'In 3.1, the parent will always be root, and the children will be the -u
user. (this is to standardize our behavior with the rest of the world,
and allow things like HUP to actually work...)'
sure -- but the bug here is that the children are running as root, not as nobody
(the -u user).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
------- Additional Comments From felicity@kluge.net 2005-02-07 11:29 -------
Subject: Re: When run as nobody, child processess get root privileges
On Mon, Feb 07, 2005 at 11:11:00AM -0800, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> Actually, there's a different issue here; if I recall correctly, spamd's
> children run as ruid=root euid=root when they're *not* processing a message, so
> that they can switch to other users' UIDs during a scan.
IIRC, in 3.0, if -u is given on the commandline, that should be the user
used for parent and children.
In 3.1, the parent will always be root, and the children will be the -u
user. (this is to standardize our behavior with the rest of the world,
and allow things like HUP to actually work...)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges on MacOS X
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
spamassassin@dostech.ca changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
------- Additional Comments From spamassassin@dostech.ca 2005-04-26 23:37 -------
*** This bug has been marked as a duplicate of 3897 ***
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges on MacOS X
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
quinlan@pathname.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|critical |major
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
------- Additional Comments From brad@koehn.com 2005-02-06 09:44 -------
attached patch (2005.02.06 09:03) does not fix problem on Mac OS X. Same
symptoms (initially spamd child has correct uid; after processing one message,
spamd child runs as root).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|Future |3.1.0
------- Additional Comments From jm@jmason.org 2005-02-07 11:11 -------
need to figure out what's going on here for 3.1.0
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
------- Additional Comments From jm@jmason.org 2005-02-07 11:10 -------
Actually, there's a different issue here; if I recall correctly, spamd's
children run as ruid=root euid=root when they're *not* processing a message, so
that they can switch to other users' UIDs during a scan.
This is required because a single child proc may scan several hundred
messages before exiting; it's a preforked server pool, not a single-scan
child as in previous versions of SpamAssassin.
btw, regarding the patch, how does that relate to bug 3586, which was a rewrite
of the setuid code in spamd to work with MacOS X and explicitly changed that
code to what it is now?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
------- Additional Comments From arkadi@mebius.lv 2005-02-06 09:03 -------
Created an attachment (id=2640)
--> (http://bugzilla.spamassassin.org/attachment.cgi?id=2640&action=view)
Fix setuid prob for *BSD
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges on MacOS X
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|When run as nobody, child |When run as nobody, child
|processess get root |processess get root
|privileges |privileges on MacOS X
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
brad@koehn.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|Score Generation |spamc/spamd
OS/Version|Mac OS X |FreeBSD
Priority|P2 |P1
Platform|Macintosh |All
------- Additional Comments From brad@koehn.com 2005-02-06 09:17 -------
Updated for all freebsd.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
arkadi@mebius.lv changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |arkadi@mebius.lv
------- Additional Comments From arkadi@mebius.lv 2005-02-06 08:59 -------
Same problem on FreeBSD. BSD setuid/seteuid differs from Linux implementation.
spamd must be patched to perform setuid calls in different order.
idea(p1)root:/home/arkadi/build> cat test-setuid.pl
#!/usr/bin/perl
$( = 2030;
$) = "2030 2030";
$< = 2030;
$> = 2030;
print `/usr/bin/id`;
idea(p1)root:/home/arkadi/build> ./test-setuid.pl
uid=2030(pkadmin) gid=2030(pkadmin) groups=2030(pkadmin)
idea(p1)root:/home/arkadi/build> cat test-setuid-bad.pl
#!/usr/bin/perl
$) = "2030 2030";
$( = 2030;
$> = 2030;
$< = 2030;
print `/usr/bin/id`;
idea(p1)root:/home/arkadi/build> ./test-setuid-bad.pl
uid=0(root) euid=2030(pkadmin) gid=2030(pkadmin) groups=2030(pkadmin)
idea(p1)root:/home/arkadi/build> uname -r
4.9-RELEASE-p3
Both test cases works fine on Linux, so there should be no problem.
Brad, please change the Component/Hardware/OS bug attributes.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges on MacOS X
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
------- Additional Comments From brad@koehn.com 2005-04-27 07:23 -------
The solution for bug 3897 does in fact resolve this bug on Mac OS X Server.
Thanks everybody!
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4086] When run as nobody, child processess get root privileges
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4086
------- Additional Comments From brad@koehn.com 2005-02-09 08:34 -------
I used the following test to check spamd 3.0.2 (unpatched) on my Mac OS X 10.3.7
Server box:
while [ /bin/true ] ; do
ps xuwwa|grep spam | grep child | grep -v "^root"
done
Initially, it spat out (repeatedly :-) every spamd child process, with "nobody"
as the owner. As mail came in, it was assigned to a spamd child process, which
ran the checks. Somewhere at/near the end of processing the message was when the
spamd child process stopped running as nobody and started running as root (I
could tell by watching the spamd child process CPU time increasing). Eventually
my little test app output nothing, indicating that all spamd children were
running as root.
As new mail was processed by spamd children that have already processed one
message, those spamd children are scanning my mail while running as root. So
spamd children runs as nobody the first time they process a message, but never
again.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.