Discussion:
[bug-mailutils] [Feature request] Find "sendmail" in $PATH at runtime
Sergey Poznyakoff
2017-10-08 12:39:38 UTC
Permalink
Hi Bjørn,
For packaging mailutils in Nix/NixOS I/we would like to have the
"mail" program lookup the path to "sendmail" at runtime via the $PATH
environment variable.
Have you considered the security implications of such a move?
How to do that?
There's no way to do this currently, except for symlinking the actual
sendmail-compatible binary (whatever it is in your distro) to the
predefined path (preferably, to the place defined by _PATH_SENDMAIL
in your /usr/include/paths.h). In fact, that's what all distros that
I've ever seen do.

Best regards,
Sergey
Bjørn Forsman
2017-10-08 12:56:04 UTC
Permalink
Hi Sergey,
Post by Sergey Poznyakoff
Hi Bjørn,
For packaging mailutils in Nix/NixOS I/we would like to have the
"mail" program lookup the path to "sendmail" at runtime via the $PATH
environment variable.
Have you considered the security implications of such a move?
My reasoning is that as long as "mail" is not setuid root (or anything
that elevates the privileges of the user invoking it), there is no
security issue. But I'm actually not that familiar with "mail"... does
it ever get installed setuid? (Currently it doesn't on NixOS.)

Do you see any issues?
Post by Sergey Poznyakoff
How to do that?
There's no way to do this currently, except for symlinking the actual
sendmail-compatible binary (whatever it is in your distro) to the
predefined path (preferably, to the place defined by _PATH_SENDMAIL
in your /usr/include/paths.h). In fact, that's what all distros that
I've ever seen do.
I see. We could do that too (hardcode path to sendmail), but
Nix/nixpkgs aims to be a generic (mostly distro-agnostic) package
manager, so hardcoding it for yet another distro seems like a step
back. Ideally, we'd have one binary working on multiple distros.

Best regards,
Bjørn Forsman
Bjørn Forsman
2017-10-23 07:59:15 UTC
Permalink
Hi Sergey,
Post by Bjørn Forsman
Hi Sergey,
Post by Sergey Poznyakoff
Hi Bjørn,
For packaging mailutils in Nix/NixOS I/we would like to have the
"mail" program lookup the path to "sendmail" at runtime via the $PATH
environment variable.
Have you considered the security implications of such a move?
My reasoning is that as long as "mail" is not setuid root (or anything
that elevates the privileges of the user invoking it), there is no
security issue. But I'm actually not that familiar with "mail"... does
it ever get installed setuid? (Currently it doesn't on NixOS.)
Do you see any issues?
Can you confirm whether this is an issue?

I looked closer at how mailutils is built in Nixpkgs and noticed that
Makefile.in/am files are patched with "s/chmod [24]755/chmod 0755/".
(That's due to the multi-user (unprivileged) package manager security
model of Nixpkgs/NixOS; packages are built and installed unprivileged
and if a program needs setuid, a setuid wrapper program is made at the
OS level, which only an admin user is allowed to set up.)

Looking into which utils use setuid/gid I find:

$ grep -rn "chmod.*755" mailutils-3.2/
mailutils-3.2/maidag/Makefile.in:1514: chmod 4755 $(DESTDIR)$(sbindir)/$$i;\
mailutils-3.2/maidag/Makefile.am:64: chmod 4755 $(DESTDIR)$(sbindir)/$$i;\
mailutils-3.2/dotlock/Makefile.in:1335: chmod 2755 $(DESTDIR)$(bindir)/$$i;\
mailutils-3.2/dotlock/Makefile.am:30: chmod 2755 $(DESTDIR)$(bindir)/$$i;\

So in the end, only "maidag" and "dotlock" use setuid/gid, not "mail"?

Best regards,
Bjørn Forsman

Loading...