OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alex van den Bogaerdt (alex_at_ergens.op.HET.NET)
Date: Sun Jul 28 2002 - 17:26:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Wietse Venema wrote:

    > What guarantees that chown(2) and chmod(2) will change the object
    > created with mkdir(2), even when a non-root user is subverted
    > (postfix or otherwise)?

    > See, for example:
    >
    > http://www.google.com/search?hl=en&ie=ISO-8859-1&q=race+condition+chown
    > http://www.google.com/search?hl=en&ie=ISO-8859-1&q=race+condition+chmod

    From my first post with this exact subject:

    >Also, $mail_spool_directory needs to be owned by root and there
    >shouldn't be another way of creating the necessary directory.
    >For instance: write permissions to group mail or group postfix
    >indicates postfix should use group privileges. This is not
    >covered in this mail but using a subset of the logic could
    >probably do the trick.

    What I ment to say, and probably didn't say, is:
    $mail_spool_directory needs to be owned by root and should
    have write permissions only for root. If there are permissions
    for the group or for others, use those other privileges.

    This doesn't mean I covered those cases. For now let's concentrate
    on the root-owned directory case.

    So, we have a directory only writable by root.

    Needed for a race condition:
    Change permissions on either the parent directory or on the object
    being created.

    $mail_spool_directory is not writable except for root. If the user
    already cracked root he won't use postfix to do something bad. Even
    if he would, noone will blame postfix.

    The directory created by my function is owned by root. Again, the
    attacker can do nothing unless he already has root privileges.

    Setting the permissions to zero may be something unnecessary, it
    doesn't hurt either.

    Both chown and chmod related race conditions need a window of
    opportunity where the link in the directory is changed from what
    postfix wants it to be into something the attacker wants it to be.
    There is no such window as the attacker cannot change it.

    The object created by mkdir, provided it succeeded, is guarantied to
    be the one postfix wants it to be.

    Does this answer your question above?
    Alex
    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users