Wietse Venema wrote:

> The proposed scheme needs to specify what mail spool directory
> ownership and permissions are required.
>
> The proposed scheme needs to specify for each step what specific
> uid and gid privileges will be used.

Ack.
For arguments sake: suppose that has been done, and it has been
done properly, does the proposal make sense?

In other words: Am I on the right track?

> > The trick is that postfix will only change the ownership if the
> > mkdir(2) command succeeded. mkdir(2) will only be called if there
> > is no directory present. Even if there is something present, such
> > as a file, directory or symlink, mkdir(2) will fail and thus the
> > excercise is aborted --> no chown(2)
>
> What guarantees that chown(2) actually changes the right object,
> instead of changing the ownership of something that is specified
> by a malicious non-root user (postfix or otherwise)?

SVr4, POSIX, BSD, SYSV, X/OPEN. At least, that's what my manual
tells me. The security is in mkdir(2).

There is no object to begin with. The object is created by the
same code that is changing the ownership.

Warning: Next piece of code is NOT intended as the final code, it
just is here as an example. Error checking and so on is not included.

    /* we want to create dir $username in the current directory
    ** and we want it to be done with root privileges. At entry
    ** of this function we are inside $mail_spool_directory and
    ** checks have been performed so we know the dir is safe.
    */

    failed=1; /* assume failure */
    
    change_uid_to_root(); /* just a fake function, you know what I mean */

    if (mkdir(username,0)==0) { /* success */
        if (chgrp(username,userid,mailgroup)==0) { /* success */
            if (chmod(username,0700)==0) { /* success */
                failed=0;
            }
        }
    }

    change_uid_back_to_user();

    if (failed) {
        /* report to postmaster. This function should never fail
        ** so if it does, something is really wrong with the
        ** mail spool directory.
        */
    }

This piece of code will only be called if a directory needs to be
created. It will only succeed if there is not already a directory
entry (whatever it is) with the name $username. It will fail if
mkdir(2) fails and thus will not change a currently existing entry.

Only and only if the mkdir(2) command was successfull, chown is
called. The result of mkdir(2) is a directory that noone can access
except root. If root can't be trusted, nothing can.

cheers,
Alex
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]