Hi Wietse,
Thank you for the detailed explanation.
This will limit scalability, but can work with low request rates.
However, there is an inherent danger to using arbitrary email
addresses from the internet in a shell command line.
Depending on how the commands are run, there may be shell command
injection opportunities when an email address contains semicolon,
backslash, quote, or other special characters. Postfix does not
allow addresses that start with '-'.
That's what I was afraid of.
The script is a Python script and it is executed as user nobody through
Postfix's spawn service, whenever check_policy_service needs it.
From what I can see postconf and postmap are called using Python's
subprocess.Popen, like so:
subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
encoding='utf-8', shell=False)
where:
args = ['/usr/sbin/postconf', '-xh', 'virtual_alias_maps']
and
args = ['/usr/sbin/postmap', '-q',
'recipient@from-postfix-check-policy-service-call',
'hash:/etc/postfix/virtual_aliases']
With shell=False and assuming that Python doesn't have some nasty bug in
this area, is it safe to assume that shell command injection would not
be possible in this case?
A famous example of shell command injection was CVE-1999-0067
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0067)
which took input from the internet and pasted it into a shell
command line.
For an exploit, see https://xkcd.com/327/ - the specific case is
for an SQL-based server, but it is easily adapted to UNIX shell.
Wietse
That comic is priceless :)
Cheers,
K.
