On 2024-12-17 11:59, Michael Tokarev via Postfix-users wrote: >> >> How about direct delivery to /var/mail/$user? > > I'm not sure I understand. What are you talking about here? Postfix's > local(8) can do direct delivery just fine.
Without cap_dac_override it won't. Consider (and remember to clean up...): # cp /bin/bash /bin/bash.suid # chmod +s /bin/bash.suid # systemd-run --pty --property=User=postfix /bin/bash.suid -pc 'head -n1 /etc/shadow' Running as unit: run-u3834.service Press ^] three times within 1s to disconnect TTY. root:[nope, not this time]:17013:0:99999:7:::0 # systemd-run --pty --property=User=postfix --property=CapabilityBoundingSet=cap_setuid /bin/bash.suid -pc 'head -n1 /etc/shadow' Running as unit: run-u3844.service Press ^] three times within 1s to disconnect TTY. head: cannot open '/etc/shadow' for reading: Permission denied # systemd-run --pty --property=User=postfix --property=CapabilityBoundingSet=cap_setuid /bin/bash.suid -pc 'whoami' Running as unit: run-u3845.service Press ^] three times within 1s to disconnect TTY. root This is exactly why /etc/shadow is chmod 0000. If your's isn't, go complain to your distro/admin immediately. > Speaking of User=postfix, this wont work for setuid(), will it? It should (if you're trying to switch to current EUID), unless it's considered fatal error. What should worry you is taking into account such mishaps: https://sites.google.com/site/fullycapable/thesendmailcapabilitiesissue > worth the effort. Since Postfix already has excellent process control > and privilege separation implemented internally, - carefully crafted > by hand. If you trust all the code involved... $ objdump -x /usr/lib64/postfix/libpostfix-util.so | grep NEEDED NEEDED libdb-5.3.so NEEDED libnsl.so.2 NEEDED libdl.so.2 NEEDED libicuuc.so.67 NEEDED libc.so.6 then there's glibc -> NSS -> various LDAP-like ...and SQL libraries. Defense in depth means not trusting anything, including yourself, your vendor, your distribution package maintainer etc. Do I need to say: CVE-2024-3094? _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
