On 05-09-18 13:26, Wietse Venema wrote:
> Luc Pardon:
>> Hello,
>>
>> Running Postfix 3.3.1 under Linux, postfix-script produces pointless
>> warnings if/when there are symbolic links in or below $config_directory.
>
> The problem is that the symlink may point to any location including
> a file under an unsafe directory such as /var/tmp or /home/user.
>
> Unless you are constraining the target of the symlink (and your
> patch does not), this is a security hole waiting to happen.
>
> Wietse
>
True enough, of course.
But that is a wholly different check than the owner/permission check.
Besides, flooding the logs with unhelpful warnings actually has the
effect of obscuring the security holes.
Finding those would call for a separate check, specifically looking for
symlinks pointing outside the Postfix root-owned directory tree.
And I'd say that this check would belong in the "check-fatal" section of
postfix-script, rather than in "check-warning".
The Q&D shell scriptlet below my sig would probably do the trick for
$config_directory, but it requires the "realpath" command, part of the
GNU core utilities package. Not sure how portable that would be. Some
obscure incantation of "find" could probably do the job, too.
The first question is obviously: can we disallow symlinks to the outside
world by definition? I'd say the answer is yes, but $(whoami) ?
Luc
==================================
#!/bin/sh
# This would not be needed if integrated into postfix-script:
BASE=$(postconf -hx config_directory | sed "s/\n$//")
# Search for dangerous symlinks in $1 and its subdirs
function inspect
{
DIR=$1
for f in $DIR/* ; do
if [ -L $f ]; then
# if it points outside $BASE, it starts with "../.."
DOT=$(realpath --relative-to $BASE $f | cut -d'/' -f1)
if [ $DOT = ".." ]; then
echo "ALARM: $f is a symlink to $(realpath $f)"
fi
elif [ -d $f ]; then
inspect $f
fi
done
}
inspect $BASE
==================================
