NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2000-06

Subject: Re: Nasty hole in postifx/procmail/cyrus
From: Dylan Griffiths (Dylan_Gbigfoot.com)
Date: Sat Jul 01 2000 - 02:56:08 CDT

Next message: John Payne: "Re: new ldap user and virtual domains question"
Previous message: Rask Ingemann Lambertsen: "Re: 451 Error: queue file write error"
In reply to: John Pettitt: "Nasty hole in postifx/procmail/cyrus"
Reply: Dylan Griffiths: "Re: Nasty hole in postifx/procmail/cyrus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

John Pettitt wrote:
>
> There are a number of hacks about that allow postfix to deliver to cyrus
> imap mailboxes via procmail. It turns out that at least one of these has
> a hole in it that allows bad guy to run code as the cyrus user.
>

Secure Postfix+Procmail+Cyrus micro-howto

This is should be secure, as $1, $2, etc, are not trusted nor read. Postfix
parses the userdomain.dom part for us, and feeds USER= and EXTENSION= lines
to procmail, which works on those variables only

The entry in master.cf for procmail to be used as a mailbox_transport:

procmail unix - n n - - pipe
flags=R user=cyrus argv=/usr/bin/procmail -p /home/cyrus/procmail.common
\
USER=${user} EXTENSION=${extension}

The procmail.common file:

#################################################
# procmailrc
# you must explicitly set a path if you're gong to be spawing programs
PATH=/usr/cyrus/bin:/bin:/usr/bin:/usr/local/bin
SHELL=/bin/bash
LOGFILE=/home/cyrus/$USER.log
DELIVERMAIL=/usr/cyrus/bin/deliver

###############################
# If users want to be able to define their own private recipes
# and put them in their home .procmailrc files, comment out
# the next definition.
#
# These recipes will be processed BEFORE the user-specific
# recipes that are kept in the /home/cyrus directory
#
#INCLUDERC=/home/$USER/.procmailrc
#
# If you do NOT want to define any user-specific recipes
# that you manage centrally (perhaps because you only want
# to allow your users to "roll their own," then
# comment out the following line. Otherwise, you have
# to create a file for each user in the form:
# procmail.username -- for example, procmail.Joe
INCLUDERC=/home/cyrus/procmail.$USER
#

EXITCODE=

# If this fails, it tries without the extension
:0w
| $DELIVERMAIL -a $USER -e -q -m $EXTENSION $USER

# If this fails, it returns error!
:0w
| $DELIVERMAIL -a $USER -e -q $USER

:0 e
{
EXITCODE=$?
HOST
}

An example procmail.user file:

:0
* ^Return-Path: +<owner-postfix-userspostfix.org
{ EXTENSION="postfix" }

:0
* ^TOBUGTRAQSECURITYFOCUS.COM
{ EXTENSION="bugtraq" }

HTH.

-- 
    www.kuro5hin.org -- technology and culture, from the trenches.

Next message: John Payne: "Re: new ldap user and virtual domains question"
Previous message: Rask Ingemann Lambertsen: "Re: 451 Error: queue file write error"
In reply to: John Pettitt: "Nasty hole in postifx/procmail/cyrus"
Reply: Dylan Griffiths: "Re: Nasty hole in postifx/procmail/cyrus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]