Bugtraq mailing list archives
Re: Nasty hole in postifx/procmail/cyrus
From: Dylan_G () BIGFOOT COM (Dylan Griffiths)
Date: Sat, 1 Jul 2000 01:56:08 -0600
John Pettitt wrote:
There are a number of hacks about that allow postfix to deliver to cyrus imap mailboxes via procmail. It turns out that at least one of these has a hole in it that allows bad guy to run code as the cyrus user.
Secure Postfix+Procmail+Cyrus micro-howto This is should be secure, as $1, $2, etc, are not trusted nor read. Postfix parses the user () domain dom part for us, and feeds USER= and EXTENSION= lines to procmail, which works on those variables only The entry in master.cf for procmail to be used as a mailbox_transport: procmail unix - n n - - pipe flags=R user=cyrus argv=/usr/bin/procmail -p /home/cyrus/procmail.common \ USER=${user} EXTENSION=${extension} The procmail.common file: ################################################# # procmailrc # you must explicitly set a path if you're gong to be spawing programs PATH=/usr/cyrus/bin:/bin:/usr/bin:/usr/local/bin SHELL=/bin/bash LOGFILE=/home/cyrus/$USER.log DELIVERMAIL=/usr/cyrus/bin/deliver ############################### # If users want to be able to define their own private recipes # and put them in their home .procmailrc files, comment out # the next definition. # # These recipes will be processed BEFORE the user-specific # recipes that are kept in the /home/cyrus directory # #INCLUDERC=/home/$USER/.procmailrc # # If you do NOT want to define any user-specific recipes # that you manage centrally (perhaps because you only want # to allow your users to "roll their own," then # comment out the following line. Otherwise, you have # to create a file for each user in the form: # procmail.username -- for example, procmail.Joe INCLUDERC=/home/cyrus/procmail.$USER # EXITCODE= # If this fails, it tries without the extension :0w | $DELIVERMAIL -a $USER -e -q -m $EXTENSION $USER # If this fails, it returns error! :0w | $DELIVERMAIL -a $USER -e -q $USER :0 e { EXITCODE=$? HOST } An example procmail.user file: :0 * ^Return-Path: +<owner-postfix-users () postfix org { EXTENSION="postfix" } :0 * ^TOBUGTRAQ () SECURITYFOCUS COM { EXTENSION="bugtraq" } HTH. -- www.kuro5hin.org -- technology and culture, from the trenches.
Current thread:
- Nasty hole in postifx/procmail/cyrus John Pettitt (Jun 30)
- Posting vulnerabilities Alfred Huger (Jun 30)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 01)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- <Possible follow-ups>
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 06)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 14)