Bug#581739: permission check on .forward files ignores user private groups

Sun May 16 11:24:31 UTC 2010

On 2010-05-15 Andreas Hemel <dai.shan at gmx.net> wrote:
> Package: exim4
> Version: 4.71-4
> Severity: normal

> According to bug #581434 the default umask on new installations will
> change from 022 to 002. Debian uses user private groups, meaning every
> user is in his own private group, that nobody else is a member of.

Hello,
This is not entirely correct. Debian uses user private groups *by*
*default* but can also be set differently. Just take a look at the
.debian.org machines, they do not use UPGs (except for alioth):

ametzler at merkel:~$ getent passwd ametzler
ametzler:x:2571:800:Andreas Metzler,,,,:/home/ametzler:/bin/bash
ametzler at merkel:~$ getent group 800
Debian:x:800:cvs_boot
ametzler at merkel:~$ groups
Debian

> This change makes it easier to setup additional collaboration groups
> without the need to bug all partaking users to change their umask.
> For further details see #581434 and the discussion on debian-devel
> [1].

> Exim checks the permission bits on user .forward files and refuses to
> deliver any mail if the .forward file is group writable. It does not
> check if the user is the only member in the group associated with the
> .forward file. In that case setting the group writable bit is save. The
> change of the default umask causes all .forward files created on new
> installs to have the group writable bit set by default.

> If Exim refuses to deliver mail because of this, the user is not (and
> probably can not be) notified and the only way to find out why mail is
> not deliviered is looking at the log files, to which a regular user does
> not have access. 

> I've reproduced this problem with both 4.71-4 from unstable and
> 4.71-2~bpo50+1 from lenny-backports. With the latter version I even
> completly lost some system mail. I realize that bounces could not be
> deliviered because both the receiver and sender were essentially the
> same user (with the 'broken' .forward permissions), but I do not
> understand why these mails were dropped instead of being frozen.

I could set 

modemask = 002

on the userforward router and make it overrideable by macro. Since we
already set check_local_user the modemask setting switches on
check_group. Exim will require that the .forward file is owned by the
users primary group. (This could introduce breakage on upgrades if
.forward is 0600 but owned by a different group delivery will break.

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'