deliver: Don't allow running as setuid-root if world can execute the binary.

--HG--
branch : HEAD

diff --git a/src/deliver/deliver.c b/src/deliver/deliver.c
index 6342a71f171ac65fbbfbda406f73ececc93630cf..fb0ac7ec0b9abec3b7b2217e2d86a64f12e8f401 100644 (file)
--- a/src/deliver/deliver.c
+++ b/src/deliver/deliver.c
@@ -834,6 +834,24 @@ int main(int argc, char *argv[])
        pool_t userdb_pool = NULL;
        string_t *str;
 
+       if (getuid() != geteuid() && geteuid() == 0) {
+               /* running setuid - don't allow this if deliver is
+                  executable by anyone */
+               struct stat st;
+
+               if (stat(argv[0], &st) < 0) {
+                       fprintf(stderr, "stat(%s) failed: %s\n",
+                               argv[0], strerror(errno));
+                       return EX_CONFIG;
+               } else if ((st.st_mode & 1) != 0) {
+                       fprintf(stderr, "%s must not be both world-executable "
+                               "and setuid-root. This allows root exploits. "
+                               "See http://wiki.dovecot.org/LDA#multipleuids\n",
+                               argv[0]);
+                       return EX_CONFIG;
+               }
+       }
+
        i_set_failure_exit_callback(failure_exit_callback);
 
        lib_init();