[15590] in bugtraq
Re: Nasty hole in postifx/procmail/cyrus
daemon@ATHENA.MIT.EDU (Dylan Griffiths)
Sun Jul 2 14:03:25 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <395DA418.5314B33C@bigfoot.com>
Date: Sat, 1 Jul 2000 01:56:08 -0600
Reply-To: Dylan Griffiths <Dylan_G@BIGFOOT.COM>
From: Dylan Griffiths <Dylan_G@BIGFOOT.COM>
X-To: postfix-users@cloud9.net
To: BUGTRAQ@SECURITYFOCUS.COM
John Pettitt wrote:
>
> There are a number of hacks about that allow postfix to deliver to cyrus
> imap mailboxes via procmail. It turns out that at least one of these has
> a hole in it that allows bad guy to run code as the cyrus user.
>
Secure Postfix+Procmail+Cyrus micro-howto
This is should be secure, as $1, $2, etc, are not trusted nor read. Postfix
parses the user@domain.dom part for us, and feeds USER= and EXTENSION= lines
to procmail, which works on those variables only
The entry in master.cf for procmail to be used as a mailbox_transport:
procmail unix - n n - - pipe
flags=R user=cyrus argv=/usr/bin/procmail -p /home/cyrus/procmail.common
\
USER=${user} EXTENSION=${extension}
The procmail.common file:
#################################################
# procmailrc
# you must explicitly set a path if you're gong to be spawing programs
PATH=/usr/cyrus/bin:/bin:/usr/bin:/usr/local/bin
SHELL=/bin/bash
LOGFILE=/home/cyrus/$USER.log
DELIVERMAIL=/usr/cyrus/bin/deliver
###############################
# If users want to be able to define their own private recipes
# and put them in their home .procmailrc files, comment out
# the next definition.
#
# These recipes will be processed BEFORE the user-specific
# recipes that are kept in the /home/cyrus directory
#
#INCLUDERC=/home/$USER/.procmailrc
#
# If you do NOT want to define any user-specific recipes
# that you manage centrally (perhaps because you only want
# to allow your users to "roll their own," then
# comment out the following line. Otherwise, you have
# to create a file for each user in the form:
# procmail.username -- for example, procmail.Joe
INCLUDERC=/home/cyrus/procmail.$USER
#
EXITCODE=
# If this fails, it tries without the extension
:0w
| $DELIVERMAIL -a $USER -e -q -m $EXTENSION $USER
# If this fails, it returns error!
:0w
| $DELIVERMAIL -a $USER -e -q $USER
:0 e
{
EXITCODE=$?
HOST
}
An example procmail.user file:
:0
* ^Return-Path: +<owner-postfix-users@postfix.org
{ EXTENSION="postfix" }
:0
* ^TOBUGTRAQ@SECURITYFOCUS.COM
{ EXTENSION="bugtraq" }
HTH.
--
www.kuro5hin.org -- technology and culture, from the trenches.
