Kevin N.: > Hello everybody, > > On one of our internal Postfix system I noticed that one of the > check_policy_service script is using postconf and postmap to perform > some alias lookups. It uses postconf to get the virtual_alias_maps > parameter, which is then used by postmap to perform the lookups.
This will limit scalability, but can work with low request rates. However, there is an inherent danger to using arbitrary email addresses from the internet in a shell command line. > Now, the load on the system is relatively low, and everything seems to > be working quite well. Only reading is involved. But it still got me > thinking. > > Could there be any hidden, unexpected behavior when using them this way? > How about if the load gets higher? Were they designed from the start to > handle higher loads? Depending on how the commands are run, there may be shell command injection opportunities when an email address contains semicolon, backslash, quote, or other special characters. Postfix does not allow addresses that start with '-'. A famous example of shell command injection was CVE-1999-0067 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0067) which took input from the internet and pasted it into a shell command line. For an exploit, see https://xkcd.com/327/ - the specific case is for an SQL-based server, but it is easily adapted to UNIX shell. Wietse
