> On Jan 29, 2018, at 12:21 PM, Michael Orlitzky <mich...@orlitzky.com> wrote: > > My question is, can't the $mail_owner -- who knows that this is going to > take place eventually -- throw a hard link into the active queue that > points to a sensitive file? Proof of concept: > > $ sudo su postfix -s /bin/sh -c 'ln /etc/passwd > /var/spool/postfix/active/x' > $ sudo postfix set-permissions > $ ls /etc/passwd > -rw-r--r-- 2 postfix root 1.4K 2018-01-27 11:47 /etc/passwd
This issue affects a lot more than just Postfix, for example tar(1) when run as root will chown files to the owner listed in the archive metadata, and is almost certainly equally exposed. Therefore, while it may be possible to attempt to work around this in Postfix, the only sensible solution is at the OS level. See https://danwalsh.livejournal.com/64493.html https://www.mjmwired.net/kernel/Documentation/sysctl/fs.txt#184 -- Viktor.
