Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

setuid in smtp.py sheds privileges before binding port #53414

Closed
alfmel mannequin opened this issue Jul 5, 2010 · 6 comments
Closed

setuid in smtp.py sheds privileges before binding port #53414

alfmel mannequin opened this issue Jul 5, 2010 · 6 comments
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error

Comments

@alfmel
Copy link
Mannequin

alfmel mannequin commented Jul 5, 2010

BPO 9168
Nosy @warsaw, @giampaolo, @florentx, @akheron
Files
  • smtpd.py-0.2-setuid-fix.diff: Fix setuid/bind order patch
  • smtpd.py-0.2-setuid-fix_v2.diff: Fix setuid/bind order
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2011-10-20.21:30:32.838>
created_at = <Date 2010-07-05.16:20:39.501>
labels = ['type-bug', 'library']
title = 'setuid in smtp.py sheds privileges before binding port'
updated_at = <Date 2011-10-20.21:30:32.836>
user = 'https://bugs.python.org/alfmel'

    bugs.python.org fields:

    activity = <Date 2011-10-20.21:30:32.836>
actor = 'flox'
assignee = 'none'
closed = True
closed_date = <Date 2011-10-20.21:30:32.838>
closer = 'flox'
components = ['Library (Lib)']
creation = <Date 2010-07-05.16:20:39.501>
creator = 'alfmel'
dependencies = []
files = ['17871', '23481']
hgrepos = []
issue_num = 9168
keywords = ['patch', 'needs review']
message_count = 6.0
messages = ['109336', '113940', '146012', '146052', '146053', '146054']
nosy_count = 6.0
nosy_names = ['barry', 'giampaolo.rodola', 'flox', 'alfmel', 'python-dev', 'petri.lehtinen']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue9168'
versions = ['Python 2.7', 'Python 3.2', 'Python 3.3']
    @alfmel
    Copy link
    Mannequin Author

    alfmel mannequin commented Jul 5, 2010

    The SMTP proxy server in Python (smtpd.py) allows you to shed privileges and run as user nobody. However, if you are trying to use port 25, the server will shed privileges before binding the port, causing a bind failure. By moving the setuid code between the creation of the proxy server and the aysncore loop, we can bind a port below 1024 and run as nobody.

    @alfmel alfmel mannequin added the stdlib Python modules in the Lib dir label Jul 5, 2010
    @alfmel alfmel mannequin added the type-crash A hard crash of the interpreter, possibly with a core dump label Aug 6, 2010
    @alfmel
    Copy link
    Mannequin Author

    alfmel mannequin commented Aug 15, 2010

    I haven't heard anything on this problem or my patch. What's the status?

    @merwok merwok added type-bug An unexpected behavior, bug, or error and removed type-crash A hard crash of the interpreter, possibly with a core dump labels Feb 4, 2011
    @akheron
    Copy link
    Member

    akheron commented Oct 20, 2011

    The patch looks good to me and fixes the problem. To reproduce, try this:

    sudo python -m smtpd 127.0.0.1:25

    It raises a "socket.error: [Errno 13] Permission denied" when trying to bind to the privileged port.

    Attached a refreshed the patch that applies cleanly on top of current 2.7 branch.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Oct 20, 2011

    New changeset 7d92b94b0eec by Florent Xicluna in branch '3.2':
    Issue bpo-9168: now smtpd is able to bind privileged port.
    http://hg.python.org/cpython/rev/7d92b94b0eec

    New changeset bbd92b42508e by Florent Xicluna in branch 'default':
    Issue bpo-9168: now smtpd is able to bind privileged port.
    http://hg.python.org/cpython/rev/bbd92b42508e

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Oct 20, 2011

    New changeset d2f303861c98 by Florent Xicluna in branch '2.7':
    Issue bpo-9168: now smtpd is able to bind privileged port.
    http://hg.python.org/cpython/rev/d2f303861c98

    @florentx
    Copy link
    Mannequin

    florentx mannequin commented Oct 20, 2011

    Fixed. Thank you for the patch.

    @florentx florentx mannequin closed this as completed Oct 20, 2011
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @akheron @merwok