bin/54731: [PATCH] bug in mail.local can cause unnecessary mail delivery delays

Oleg Bulyzhin oleg at rinet.ru
Mon Jul 21 16:40:15 PDT 2003 

>Number:         54731
>Category:       bin
>Synopsis:       [PATCH] bug in mail.local can cause unnecessary mail delivery delays
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 21 16:40:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Oleg Bulyzhin
>Release:        FreeBSD 4.8-RELEASE i386
>Organization:
Cronyx Plus LLC (RiNet ISP)
>Environment:
System: FreeBSD lath.rinet.ru 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Sat Apr 5 12:35:16 MSD 2003 root at lath.rinet.ru:/lh/obj/lh/src/sys/lath i386

	All sendmail versions (including 8.12.9) are affected.
	(This bug affects systems without maillock(). Not sure about
	 systems where maillock() exists).
>Description:
	During mailbox locking mail.local creates lock file (usually
	/var/log/mboxname.lock). Under certain circumstances mail.local is
	unable to remove this lock file after delivery attempt, thus next
	mail delivery (handled by other mail.local process) can be delayed
	for up to LOCKTO_RM seconds (5min).

	Here is explanation:
	First, mail.local creates lock file using super-user privileges.
	Before delivery attempt mail.local drops privileges by calling
	setreuid() (mail.local.c:1073). Then, in various error checking
	code, goto err0 & goto err1 are used (mail.local.c:1087 1103 1148 1165)
	If any of this errors appears, mail.local will be unable to remove
	lock file, cause it calls unlockmbox() (mail.local.c:1231) having
	euid == uid of mbox owner (while lock file owned by root).
	Thus unlink call (mail.local.c:1398) will fail.

	Next mail.local process will be unable to deliver mail until lock
	file expires (expire time LOCKTO_RM seconds).

>How-To-Repeat:
	It's not easy to repeat it with original mail.local cause those
	error which can lead to this problem are quite rare. (actually,
	i never seen any of em). Problem was noticed when i tested slightly
	modified mail.local (simple implementation of mailbox size limit).
>Fix:
	There is misplaced setreuid(0,0) call: we need super-user priveleges
	neither for truncating (mail.local.c:1228) mailbox no for closing
	(mail.local.c:1230) it. But we need those priveleges for removing
	root-owned lock file.

--- mail.local.c.orig	Mon Mar  3 20:31:13 2003
+++ mail.local.c	Tue Jul 22 03:28:05 2003
@@ -1220,7 +1220,6 @@
 	{
 		mailerr("450 4.2.0", "%s: %s", path, sm_errstring(errno));
 err3:
-		(void) setreuid(0, 0);
 #ifdef DEBUG
 		fprintf(stderr, "reset euid = %d\n", (int) geteuid());
 #endif /* DEBUG */
@@ -1228,7 +1227,8 @@
 			(void) ftruncate(mbfd, curoff);
 err1:		if (mbfd >= 0)
 			(void) close(mbfd);
-err0:		unlockmbox();
+err0:		(void) setreuid(0, 0);
+		unlockmbox();
 		return;
 	}
 

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list