CVE-2020-8793: 
NixOS vulnerability analysis and mitigation

OpenSMTPD before version 6.6.4 contains a local information disclosure vulnerability (CVE-2020-8793) that allows unprivileged local users to read arbitrary files on Linux distributions. The vulnerability stems from a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c. The vulnerability was discovered and reported by Qualys Security Advisory in February 2020 (OSS Security).

The vulnerability exploits a combination of issues including a Local Privilege Escalation into the group _smtpq and TOCTOU (time-of-check to time-of-use) race conditions. The vulnerability allows attackers to bypass both the _smtpq group check in offline_scan() and the hardlink check in offline_enqueue(). The attack involves creating hardlinks to target files and manipulating file states between checks, enabling access to restricted files (OSS Security).

An unprivileged local attacker can read the first line of any arbitrary file (such as root's password hash in /etc/master.passwd) or the entire contents of another user's file if this file and /var/spool/smtpd/ are on the same filesystem. On Fedora 31, due to smtpctl being set-group-ID root instead of set-group-ID smtpq, the vulnerability could be exploited to obtain full root privileges (OSS Security).

The vulnerability was fixed in OpenSMTPD version 6.6.4. Ubuntu ships with /proc/sys/fs/protected_hardlinks enabled by default, making this vulnerability not exploitable on Ubuntu systems. For Fedora, the fix was implemented in opensmtpd-6.6.2p1-1.fc31, released on February 9, 2020, which correctly made smtpctl set-group-ID smtpq instead of set-group-ID root (Ubuntu Security, OSS Security).