On June 10, 2017 9:35:38 PM EDT, wie...@porcupine.org wrote: >Wietse Venema: >> Scott Kitterman: >> > It would be nice to get a read from the Postfix developers if this >issue >> > recently reported to oss-security [1] is relevant to Postfix on >systems with >> > support for Berkeley DB databases? >> >> Set-[ug]id privilege escalation with environment settings that >> modify the behavior of a library? Not relevant. > >Hmm. this is about a fixed pathname in the current directory. > >Postfix daemons run with cwd == /var/spool/postfix which is writable >only by root. So that is safe. > >Set-gid Postfix non-daemon programs will eventually chdir() to >/var/spool/postfix, but it is possible that PAM or NSS opens a db >file before that time, or that postdrop or postqueue open a db file >while initializing some main.cf setting. > >I guess that means one could trick Berkeley DB into reading a message >file in the maildrop directory, if you know the maildrop file name. >Normally, a maildrop file will be removed quickly by the pickup >dameon, so I don't know how realistic an attack like this would be. > >Other Postfix non-daemon programs run with the same privileges as >the process that invokes the command. There is no privilege escalation.
Thanks for reviewing. Scott K
