Bug 22825

Summary: Procmail error message "procmail[27400]: Suspicious rcfile "/home/pew/.procmailrc" pretty useless
Product: Mageia Reporter: w unruh <unruh>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: RESOLVED OLD QA Contact:
Severity: normal    
Priority: Normal CC: luigiwalser, marja11, ouaurelien
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: procmail CVE:
Status comment:
Attachments: patch for error message

Description w unruh 2018-03-24 18:00:19 CET 
Description of problem: The procmail error message 
"procmail[12345]: Suspicious rcfile"  is pretty useless in identifying the error. This is almost universally taken to indicate a problem with the .procmailrc file. But instead it is a problem with the permissions of either the .procmailrc or even of the home directory. 
Either this should be  a warning, and the .procmailrc file continue to be used, or it should issue a decent error message so that the user can actually fix it. 


Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
1.chmod g+w ~
2.The procmail  will issue that error message next time it has an email to deliver and will not read .procmailrc .
Comment 1 Marja Van Waes 2018-03-25 17:54:17 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package, CC'ing committer.

CC: (none) => luigiwalser, marja11
Assignee: bugsquad => pkg-bugs

Comment 2 w unruh 2018-03-25 18:43:11 CEST 
I have just discovered that that error message is described in the procmail man page. I missed it the first time I looked. It would still be useful if the error message included some hint as to what the problem was (eg suspicious rcfile: permissions? ) Certainly I would not regard wrong permissions as a suspicious file, but my annoyance is somewhat abbated  having found the description.
Comment 3 David Walser 2018-03-25 18:49:34 CEST 
I think the idea is, if your home directory is writable by more than you, someone else could have created the .procmailrc file and done something undesirable.  In RedHat-family distros that create groups for each user, it's OK to be g+w, but in other distros that would be bad.  I don't see any value in being g+w though, so I would just revert that and close the bug.
Comment 4 w unruh 2018-03-25 19:10:29 CEST 
The error was not so much that the program forced certain permissions onto the procmailrc file, but that the error message was completely unhelpful.

It is often useful to have a number of people all in the same group and able to write to another user's files (eg family, groups at work) but still have separate mail. I have some doubt that forcing specific permissions onto people is sensible (for ssh and the .ssh files I can  see the sense, but for procmailrc is it pretty dubious), but this bug refers the uselessness of the error message. The error it reports is NEVER about the file itself, as "suspicious procmailrc" would suggest, but about the permissions of that file or its directory. Even something like
"suspicious procmailrc permissions" would be better (although that error is also delivered when that file fails an fstat, which would not suggest a suspicious file but a corrupted filesystem.
Comment 5 David Walser 2018-03-25 20:32:35 CEST 
It wasn't the permissions of the procmailrc file that were the issue, it was the permissions of your home directory.  Having shared write access to files absolutely can be useful, but other users should never have write access to your home *directory* as that means that they can create or delete any files in that directory.  That's never OK.  If you want other people to have access to files that you've given them group write on, the only directory access they need is execute (plus read if you want them to be able to list the directory contents).

I agree the error message could be more clear, but that's something you'd have to ask upstream to fix.
Comment 6 w unruh 2018-03-25 21:30:49 CEST 
If you trust them, it's OK. After all root has unlimited access to all your files, and that is OK, since you do (or have to ) trust the person who has root, or sudo. The attempt to force others to work and have the network of trust that you do is what I would call not OK. Is it dangerous to give group access to your home directory? Sure, but then it is far far more dangerous to drive in a car with someone else driving. It could kill you, while group write permission on HOME cannot. And for procmail to try to enforce that kind of permission is really inapporpriate. It is really none of its business (or the writers of procmail's business). It could warn you, but it does more than that. 

But you are undoubtedly right that all this should be taken up with upstream. Again, given that the man page explains what that confusing error message means, I really have no basis to complain to Mageia about it.
Comment 7 w unruh 2018-03-26 01:20:41 CEST 
Upstream does not exist. Here is a response from Philip Guenther who is listed as the upstream in the man procmail page. (Stephen vandenBerg is listed as the other creator). 

 
 

Date: Sun, 25 Mar 2018 15:26:04
From: Philip Guenther <pguenther@proofpoint.com>
To: Bill Unruh <unruh@physics.ubc.ca>
Cc: Stephen R. van den Berg <srb@cuci.nl>
Subject: Re: Procmail error message

On Sun, 25 Mar 2018, Bill Unruh wrote:
> The procmail error message Suspicious rcfile "/home/pew/.procmailrc" is 
> misleading, and should really give a hint that the problem is in the 
> permissions (usually) rather than the file itself (which is what the 
> current message implies). I wasted a lot of time trying to figure out 
> what was wrong with the contents of the file before discovering that the 
> problem was actually in the permissions of the home directory.

I agree that if procmail was still be maintained and released, that would 
be a good suggestion; however, to the best of my knowledge, no one is 
maintaining it outside of individual distributions.  You may want to file 
a bug with whatever distribution you use, as they may maintain patches 
used when building the binaries they distribute.
Comment 8 David Walser 2018-03-26 01:32:43 CEST 
Well, you can always submit a patch :D
Comment 9 w unruh 2018-03-26 02:49:20 CEST 
Created attachment 10063 [details]
patch for error message

Changed error message from
"Suspicious rcfile" to
"rcfile not used- HOME/file permissions?"

Also altered procmail.man page to reflect change.
Comment 10 Aurelien Oudelet 2020-08-16 16:34:53 CEST 
Mageia 6 changed to end-of-life (EOL) status on 2019-09-30. It is no longer 
maintained, which means that it will not receive any further security or bug 
fix updates.

Package Maintainer: If you wish for this bug to remain open because you plan 
to fix it in a currently maintained version, simply change the 'version' to 
a later Mageia version.

Bug Reporter: Thank you for reporting this issue and we are sorry that we 
weren't able to fix it before Mageia 6's end of life. If you are able to 
reproduce it against a later version of Mageia, you are encouraged to click 
on "Version" and change it against that version of Mageia.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a more recent
Mageia release includes newer upstream software that fixes bugs or makes them
obsolete.

If you would like to help fixing bugs in the future, don't hesitate to join the
packager team via our mentoring program [1] or join the teams that fit you 
most [2].

[1] https://wiki.mageia.org/en/Becoming_a_Mageia_Packager
[2] http://www.mageia.org/contribute/

Best regards,
Aurélien
Bugsquad Team

CC: (none) => ouaurelien
Status: NEW => RESOLVED
Resolution: (none) => OLD