Bugtraq mailing list archives

Re: Nasty hole in postifx/procmail/cyrus

From: Dylan_G () BIGFOOT COM (Dylan Griffiths)
Date: Sat, 1 Jul 2000 01:56:08 -0600


John Pettitt wrote:


There are a number of hacks about that allow postfix to deliver to cyrus
imap mailboxes via procmail.    It turns out that at least one of these has
a hole in it that allows bad guy to run code as the cyrus user.


Secure Postfix+Procmail+Cyrus micro-howto

This is should be secure, as $1, $2, etc, are not trusted nor read.  Postfix
parses the user () domain dom part for us, and feeds USER= and EXTENSION= lines
to procmail, which works on those variables only

The entry in master.cf for procmail to be used as a mailbox_transport:

procmail  unix  -       n       n       -       -       pipe
    flags=R user=cyrus argv=/usr/bin/procmail -p /home/cyrus/procmail.common
\
                 USER=${user} EXTENSION=${extension}

The procmail.common file:

#################################################
# procmailrc
# you must explicitly set a path if you're gong to be spawing programs
PATH=/usr/cyrus/bin:/bin:/usr/bin:/usr/local/bin
SHELL=/bin/bash
LOGFILE=/home/cyrus/$USER.log
DELIVERMAIL=/usr/cyrus/bin/deliver

###############################
# If users want to be able to define their own private recipes
# and put them in their home .procmailrc files, comment out
# the next definition.
#
# These recipes will be processed BEFORE the user-specific
# recipes that are kept in the /home/cyrus directory
#
#INCLUDERC=/home/$USER/.procmailrc
#
# If you do NOT want to define any user-specific recipes
# that you manage centrally (perhaps because you only want
# to allow your users to "roll their own," then
# comment out the following line.  Otherwise, you have
# to create a file for each user in the form:
# procmail.username -- for example, procmail.Joe
INCLUDERC=/home/cyrus/procmail.$USER
#

EXITCODE=

# If this fails, it tries without the extension
:0w
| $DELIVERMAIL  -a $USER -e -q -m $EXTENSION $USER

# If this fails, it returns error!
:0w
| $DELIVERMAIL  -a $USER -e -q $USER

:0 e
{
        EXITCODE=$?
        HOST
}

An example procmail.user file:

:0
* ^Return-Path: +<owner-postfix-users () postfix org
{ EXTENSION="postfix" }

:0
* ^TOBUGTRAQ () SECURITYFOCUS COM
{ EXTENSION="bugtraq" }

HTH.

--
    www.kuro5hin.org -- technology and culture, from the trenches.

Current thread:

Nasty hole in postifx/procmail/cyrus John Pettitt (Jun 30)
- Posting vulnerabilities Alfred Huger (Jun 30)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 01)
  - Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- <Possible follow-ups>
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
  - Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 06)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 14)