Re: User script for modifying main.cf and other config files
On Mon, Feb 08, 2021 at 03:47:27PM -0500, Alex wrote: > I still have to consider much of what you've written before I can > respond, but I wanted to be sure my design was clear here - it's not > so much that end-users are modifying the config in the same way as > webmin does, like making changes directly to main.cf, but type in the > name of a new domain to be added to relay_domains, for example. The > script then then modifies main.cf to apply that change. If the goal is to just modify *data* elements in main.cf, and not structural settings, then in the vast majority of cases specific data elements can be set via separate files or database tables. # File with one domain per-line # relay_domains = ${config_directory}/relay_domains # An indexed file with ignored non-empty RHS # relay_domains = cdb:${config_directory}/relay_domains # An LDAP table, with data managed centrally. # relay_domains = ldap:${config_directory}/relay_domains.cf ... As much as possible, avoid pasting user-provided strings directly into main.cf and master.cf. For directly editing the files, one might employ a git repository to which only authorised administrators can push commits, and where to keep routine changes simple there's separation between a template for expert users and parameter values applied to the template that are ideally less error-prone in the hands of less-expert users. -- Viktor.
Re: User script for modifying main.cf and other config files
On Mon, 8 Feb 2021, Alex wrote: > I still have to consider much of what you've written before I can > respond, but I wanted to be sure my design was clear here - it's not so > much that end-users are modifying the config in the same way as webmin > does, like making changes directly to main.cf, but type in the name of a > new domain to be added to relay_domains, for example. The script then > then modifies main.cf to apply that change. Then configure main.cf to be "static" and refer to sql, ldap table lookups in relay_domains. It's much more easier and you don't need to give root access to anything for main.cf modifications. Best regards, Jozsef - E-mail : kad...@blackhole.kfki.hu, kadlecsik.joz...@wigner.hu PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary
Re: User script for modifying main.cf and other config files
Alex wrote: > it's not so much that end-users are modifying the config in the same > way as webmin does, like making changes directly to main.cf, but > type in the name of a new domain to be added to relay_domains, for > example. The script then then modifies main.cf to apply that change. In that case the expected thing would be to use database tables to hold those configuration values. Then have your web UI interface update those database tables. That obviates the need to modify the main.cf file. http://www.postfix.org/MYSQL_README.html This still places the general security of the system with the security of the web UI. Really no difference there. But it removes the need to edit the cf files. Let me gently suggest looking into holding the things you need to change in database tables. And then interfacing with those with your web UI. Then... Profit! :-) Bob
Re: User script for modifying main.cf and other config files
> > Perhaps passwordless sudo with the explicit ability to act on these > > files and reload/restart postfix? Is it okay to create a backup > > directory in /etc/postfix that's owned by this script user? > > I wonder what changes you need to make so frequently. Whatever they are, stop > and reconsider. There is no scenario where allowing users to alter your mail > config could be considered secure. I still have to consider much of what you've written before I can respond, but I wanted to be sure my design was clear here - it's not so much that end-users are modifying the config in the same way as webmin does, like making changes directly to main.cf, but type in the name of a new domain to be added to relay_domains, for example. The script then then modifies main.cf to apply that change. I'm certainly not minimizing the risk - that's exactly why I'm posting here, but I'm hoping I can mitigate the most obvious problems and continue to make it more secure. > ¹ I am not specifically recommending webmin, I do not run it and I wold not > run it as I prefer accessing my server via ssh with a key exchange which can > only be duplicated if someone gets my private key file off my home machine, > or if someone can login to the console on-site as me. That's exactly how I've been doing it for decades now as well (I'm still no expert), but I'm hoping to create something that makes it easier for our local admins and perhaps others in the future.
Re: User script for modifying main.cf and other config files
On 08 Feb 2021, at 09:44, Michael Ströder wrote: > On 2/8/21 2:28 PM, @lbutlr wrote: >> Use a tool like Webmin¹. > > IIRC webmin has a long history of security issues. They all do. >> It is, in my opinion a very very bad idea, > > I don't understand why you recommend something you consider a bad idea. Because despite being a terrible idea it is a thousand times better than what the OP is planning on doing. >> For user management, including admin access to hosted >> domains, a tool like postfixadmin seems to work pretty well. > Especially user management (or other volatile map) is better done in a > remote database like LDAP server, mysql etc. Postfixadmin is just a friendly interface into the mail sql database. -- "Are you pondering what I'm pondering?" "I think so, Ali-Brain! But isn't it cheating to use glue?"
Re: User script for modifying main.cf and other config files
On 2/8/21 2:28 PM, @lbutlr wrote: > Use a tool like Webmin¹. IIRC webmin has a long history of security issues. > It is, in my opinion a very very bad idea, I don't understand why you recommend something you consider a bad idea. > For user management, including admin access to hosted > domains, a tool like postfixadmin seems to work pretty well. Especially user management (or other volatile map) is better done in a remote database like LDAP server, mysql etc. Ciao, Michael.
Re: User script for modifying main.cf and other config files
On 07 Feb 2021, at 08:54, Alex wrote: > I'm working on a front-end to modify our main.cf and other config > files, such as the transport and relay_recips file and want to be sure > I'm doing it securely. Use a tool like Webmin¹. It is, in my opinion a very very bad idea, but the way to do this outside of an admin shell session is through an admin panel. For user management, including admin access to hosted domains, a tool like postfixadmin seems to work pretty well. That said, if you have an admin interface like webmin or postfixadmin you need to be very conscious of keeping these tools up-to-date as they are frequent targets of attack. > Postfix complains if the files are not owned by root, but I don't want > the script to have to run as root. What is the most secure way to do > this? Definitely not via a automated script that takes user submission and changes your mail config. Even allowing access to files that you may think are OK (virtual or aliases, perhaps?) can be disastrous. > Perhaps passwordless sudo with the explicit ability to act on these > files and reload/restart postfix? Is it okay to create a backup > directory in /etc/postfix that's owned by this script user? I wonder what changes you need to make so frequently. Whatever they are, stop and reconsider. There is no scenario where allowing users to alter your mail config could be considered secure. I do have one script that generates a postfix config file, but it is entirely automated and writes a daily bcc file. Even though it is very simple, I ran it by this list in case I'd overlooked something very stupid. It's been running for over 4 years now so I'm /relatively/ confident there's nothing wrong with it. ¹ I am not specifically recommending webmin, I do not run it and I wold not run it as I prefer accessing my server via ssh with a key exchange which can only be duplicated if someone gets my private key file off my home machine, or if someone can login to the console on-site as me. -- "Are you pondering what I'm pondering?" "I think so, Brain, but shouldn't the bat boy be wearing a cape?"
Re: User script for modifying main.cf and other config files
On Sun, Feb 07, 2021 at 03:26:29PM -0500, Alex wrote: > > Quoting Zathros, "Cannot say. Saying, I would know. Do not know, so > > cannot say." It all depends upon your use of sudo. One can't say it > > won't be secure. The devil is in the details. > > I figured that if main.cf was owned by root and group writable, the > regular user would be able to edit it, then use sudo to reload/restart > when necessary. Apache is running as user "apache" while the php-fpm > user is "developer". The developer account is not in the same group as > the apache user. Any user who can freely modify either main.cf or master.cf is trivially able to get root privileges. As a corrolary, any user who should NOT have root privileges, should NOT be able to freely modify main.cf or master.cf. Therefore, the only way to allow non-root users to "tweak" these files is to build carefully controlled templates, that only admit a set of "safe" modifications, with the non-root user able to set some parameters for the template, which are validated by "root" and used as "root" to construct the "safely" modified main.cf and/or master.cf files. If you really want a different security model, you can run Postfix in a container, with no pipe(8), local(8) or virtual(8) based transports, i.e. all mail delivery via LMTP or SMTP. Then unsafe changes inside the container might only be able to break email delivery, without compromising the external system (assuming the virtualisation stack does not have bugs that enable breaking out of the container). -- Viktor.
Re: User script for modifying main.cf and other config files
Alex wrote: > Yes, it's a web front-end, using apache and php-fpm. > It's written using laravel and PHP. It relieves me (Whew!) that it is not using WP which historically has had deep security vulnerabilities quite often. And therefore in the situation you are proposing would be a likely stepping stone, cascading into whole system vulnerabilities. > I figured that if main.cf was owned by root and group writable, the > regular user would be able to edit it, then use sudo to reload/restart > when necessary. Apache is running as user "apache" while the php-fpm > user is "developer". The developer account is not in the same group as > the apache user. > > This is the age-old problem with having a web-based application. Yes. [[ And I have a mental model that databases are often used as a layer to adapt between the two different user account permission systems. ]] It seems to me that if you have confidence in the security of your web UI application that it could safely use sudo to edit, modify, install, updated configuration files. Assuming that the processes that do this are data "taint" safe and sufficiently paranoid. And then also use sudo to reload postfix after having changed those files. In which case the files would remain owned by root:root and the interface to modifying them would use sudo. The ultimate security of the system would still rest with the security of the web UI. This still leaves me curious as to the need for this management interface. Setting up the Apache, PHP-FPM, Laravel, and associated web management framework, and sudo, on the system natively would be more complex than setting up Postifx natively. Bob
Re: User script for modifying main.cf and other config files
On Sun, Feb 07, 2021 at 02:47:11PM -0500, Wietse Venema wrote: > Alex: > > Hi, > > > > I'm working on a front-end to modify our main.cf and other config > > files, such as the transport and relay_recips file and want to be sure > > I'm doing it securely. > > > > Postfix complains if the files are not owned by root, but I don't want > > the script to have to run as root. What is the most secure way to do > > this? > > > > Perhaps passwordless sudo with the explicit ability to act on these > > files and reload/restart postfix? Is it okay to create a backup > > directory in /etc/postfix that's owned by this script user? > > Postfix requires that config files are not writable by users. > If a non-root user can change the Postfix configuration, then that > user has root privileges over your system. The user may not know > how, but at this point all that remains is just security by obscurity. > Is some sort of sudo access possible, i.e. only the specific users you want to enable are able to run the script with sudo privilege. The /etc/sudoers file and associated configuration is somewhat arcane but actually very flexible in what's possible. -- Chris Green
Re: User script for modifying main.cf and other config files
Hi, > > I'm working on a front-end to modify our main.cf and other config > > files, such as the transport and relay_recips file > > Hmm... A front-end? Should we assume this is a web UI frontend? > Because although most of us use $EDITOR for those files the official > frontend is "postconf" for it. If you have to ask then you should > definitely use postconf to edit those files. Yes, it's a web front-end, using apache and php-fpm. > Should we assume that you are writing a web UI. The web UI is running > as the www-data user. It's written in Wordpress or another popular > PHP framework. This framework itself is likely one that has deep > security vulnerabilities posted every other week. You would like to > make the files owned by www-data so that the web UI can edit those > files directly. But Postfix then is warning about the situation. Is > this what we should assume? It's written using laravel and PHP. > Note that just because a process does not run as a root priviledge > process does not mean that it is more secure than one that does. > Security is composed of the entire system of layers all working > together. Pulling a very small piece of something out of context and > focusing on it with the microscope loses the context of the > environment in which it exists. Yes, understood. > > Perhaps passwordless sudo with the explicit ability to act on these > > files and reload/restart postfix? > > Quoting Zathros, "Cannot say. Saying, I would know. Do not know, so > cannot say." It all depends upon your use of sudo. One can't say it > won't be secure. The devil is in the details. I figured that if main.cf was owned by root and group writable, the regular user would be able to edit it, then use sudo to reload/restart when necessary. Apache is running as user "apache" while the php-fpm user is "developer". The developer account is not in the same group as the apache user. This is the age-old problem with having a web-based application.
Re: User script for modifying main.cf and other config files
Alex wrote: > I'm working on a front-end to modify our main.cf and other config > files, such as the transport and relay_recips file Hmm... A front-end? Should we assume this is a web UI frontend? Because although most of us use $EDITOR for those files the official frontend is "postconf" for it. If you have to ask then you should definitely use postconf to edit those files. > and want to be sure I'm doing it securely. I would like to say something useful here. But other than saying that then you should do it security I am at a loss for a suggestion. "Then you should do it securely." > Postfix complains if the files are not owned by root, but I don't want > the script to have to run as root. What is the most secure way to do > this? Should we assume that you are writing a web UI. The web UI is running as the www-data user. It's written in Wordpress or another popular PHP framework. This framework itself is likely one that has deep security vulnerabilities posted every other week. You would like to make the files owned by www-data so that the web UI can edit those files directly. But Postfix then is warning about the situation. Is this what we should assume? If this is not what we should assume then the only way we might know anything is if you tell us what you are doing. Note that just because a process does not run as a root priviledge process does not mean that it is more secure than one that does. Security is composed of the entire system of layers all working together. Pulling a very small piece of something out of context and focusing on it with the microscope loses the context of the environment in which it exists. > Perhaps passwordless sudo with the explicit ability to act on these > files and reload/restart postfix? Quoting Zathros, "Cannot say. Saying, I would know. Do not know, so cannot say." It all depends upon your use of sudo. One can't say it won't be secure. The devil is in the details. > Is it okay to create a backup directory in /etc/postfix that's owned > by this script user? Extra files and extra directories in /etc/postfix won't be a problem for the running of Postfix if the names do not collide with names that are used by Postfix. Bob
Re: User script for modifying main.cf and other config files
Alex: > Hi, > > I'm working on a front-end to modify our main.cf and other config > files, such as the transport and relay_recips file and want to be sure > I'm doing it securely. > > Postfix complains if the files are not owned by root, but I don't want > the script to have to run as root. What is the most secure way to do > this? > > Perhaps passwordless sudo with the explicit ability to act on these > files and reload/restart postfix? Is it okay to create a backup > directory in /etc/postfix that's owned by this script user? Postfix requires that config files are not writable by users. If a non-root user can change the Postfix configuration, then that user has root privileges over your system. The user may not know how, but at this point all that remains is just security by obscurity. Wietse
User script for modifying main.cf and other config files
Hi, I'm working on a front-end to modify our main.cf and other config files, such as the transport and relay_recips file and want to be sure I'm doing it securely. Postfix complains if the files are not owned by root, but I don't want the script to have to run as root. What is the most secure way to do this? Perhaps passwordless sudo with the explicit ability to act on these files and reload/restart postfix? Is it okay to create a backup directory in /etc/postfix that's owned by this script user?