[RndTbl] "washing" a fork/exec to force all groups

Adam Thompson athompso at athompso.net
Mon Apr 17 08:02:52 CDT 2023

If it's feasible, turn on command execution in postfix, make sure it's using a private aliases file, and do a "|/whatever" in its global aliases - if the original recipient does NOT have a matching userid, I believe you can have that command run as root.  Running out the door, can't check, but that just occurred to me.

Get Outlook for Android<https://aka.ms/AAb9ysg>
From: Roundtable <roundtable-bounces at muug.ca> on behalf of Adam Thompson <athompso at athompso.net>
Sent: Monday, April 17, 2023 7:58:29 AM
To: Continuation of Round Table discussion <roundtable at muug.ca>
Subject: Re: [RndTbl] "washing" a fork/exec to force all groups

Why: "security".  I don't recall the details, but I think I remember this change - quite a long time ago, and it never affected me.

The more general solution is broadly accepted to be: stop using procmail.  It's ancient, unmaintained code that doesn't meet modern <anything> standards.  Ask about procmail problems on any of the MTA mailing lists and you will be soundly and roundly flamed for still using it.

If you use Dovecot, you already have a full SIEVE implementation.  Of course procmail can do dangerous things that SIEVE refuses to do, but for most sane needs, it's IMHO far superior to .procmailrc syntax.  Much like switching from sendmail syntax to postfix syntax.  You might consider that a bug, not a feature, YMMV.

Penultimately, I think you want procmail to be setuid root, and invoke it with the "-d" flag.  It doesn't get installed setuid anymore because (see above) it's ancient, unmaintained, and believed to not be safe to invoke as root.

As to sudo, the usual solution is to put your users in a group and allow the group instead of the user.  You could "rootwash" procmail itself by using a wrapper script that sudo's procmail instead of having procmail sudo php.  You could theoretically have postfix invoke "sudo postfix" but that might be more trouble than it's worth.

If you don't have root on the box?  Just use .forward files.  First character on the first line is "|" = exactly what you're doing with procmail.  Wait, you still have the secondary group problem, so maybe SSH to localhost to get the grous back?  I'm not sure how to regain secondary groups without a root process adding them, sorry.

-----Original Message-----
From: Roundtable <roundtable-bounces at muug.ca> On Behalf Of Trevor Cordes
Sent: Monday, April 17, 2023 3:52 AM
To: MUUG RndTbl <roundtable at muug.ca>
Subject: [RndTbl] "washing" a fork/exec to force all groups

Just ran into this:


Postfix is doing something before/while it calls procmail for local
delivery which strips all but the primary group of the recipient.  This
means any complicated pipe I have setup in procmail which relies on
secondary groups fails with read perm errors.

Sendmail doesn't do this stupidity (yay)!  But I needed to (argh finally)
use postfix on a box that needed 2 MTAs installed (and sendmail couldn't,
in the end, do it properly).

I consider the current stackoverflow answer to be a non-answer because
Fedora/RHEL doesn't install procmail setgid/setuid anymore, and I don't
want to fudge u+s g+s on every dnf update!

I've solved the problem by "washing" the procmail piped-to command through
sudo.  I had to add to sudoers:
fooman  ALL=(fooman) NOPASSWD: /bin/php

and change my procmail recipe pipe to:
| /bin/sudo -u fooman /bin/php /needs/secondary/groups/to/read.php

Ok great, it all works with postfix now just like it did with sendmail.

The tricky question for you uber *nix geeks is: Can I achieve the same
thing without the sudoers entry?  In other words, is there a way to
achieve this without root access, if someone didn't have root on the box,

Too bad sudo isn't smart enough to say "hey, user fooman can run anything
as user fooman" without a specific entry.  Maybe an option for postfix?
Maybe some magic sudo or su can do?

Is an option to procmail possible or is this a problem that can *only* be
solved by washing the call, somewhere along the line, through a setuid
program (because once stripped by postfix they are gone forever)?

I wonder why sendmail doesn't chop off the groups but postfix does.
Roundtable mailing list
Roundtable at muug.ca

Roundtable mailing list
Roundtable at muug.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20230417/6d8b546b/attachment-0001.htm>

More information about the Roundtable mailing list