Thus wrote "D. J. Bernstein" <[EMAIL PROTECTED]>:
> I didn't look at the Postfix code; I merely noticed that one of the
> documented ``security features'' was an obvious design error. See
>
> http://cr.yp.to/maildisasters/postfix.html
>
> for the complete story.
Your site is outdated in technical respect; your efforts seem to have
been successful almost two years ago, and I thank you for finding the
problem.
Provided that the user chooses the "safe" path in section 12 of the
INSTALL document (I'm not citing that here), Postfix has a dedicated
group for that maildrop directory which is group writable, and a
setgid-to-that-group command to handle injecting mail:
$ sudo ls -ld /var/spool/postfix/maildrop/ /usr/sbin/postdrop
| awk '{printf "%s %8s %8s %s\n", $1,$3,$4,$9;}' # to limit line width
-rwxr-sr-x root postdrop /usr/sbin/postdrop
drwx-wx--T postfix postdrop /var/spool/postfix/maildrop/
Citing from Postfix's HISTORY document as per 20001030:
"19981221
[...]
Bugfix: the maildrop directory should not be world-readable.
Files: conf/postfix-script, showq/showq.c.
[...]
19981225
[...]
Feature: when a writable maildrop directory is a problem,
sites can make the new "postdrop" utility set-gid. This command
is never used when the maildrop directory is world-writable.
19990316
[...]
Workaround: use fstat() to figure out if the maildrop is
world-writable. access() uses the real uid, which stinks."
There are not further notes on world-writability or postdrop until
snapshot-20001030.
Thus, Postfix-19990317 and any later releases, when installed with
group-writable postdrop directory, are immune against the attacks you
described.
Would you mind updating your site? You could add a warning that
Postfixen before 19990317 are unsecure, and that Postfix from 19990317
and younger MUST be installed to use a setgid postdrop command and a
GROUP (not world)-writable maildrop directory.
--
Matthias Andree
