Sendmail -- aktualni verze [Re: SPAM (podpora do sendmailu)]
Hynek Med
xmedh02 at manes.vse.cz
Wed Nov 12 14:31:09 CET 1997
On 12 Nov 1997, Vladimír Solnický {Vladimir Solnicky} wrote:
> Jen bych doplnil, ze v rijnu byl dan do obehu 8.8.8, ale posledni znama
> bezpecnostni dira byla v 8.8.4 a byla opravena v 8.8.5, pozdejsi verze
> obsahuji jen ,,minor bux fixes`` ne bezpecnostniho charakteru.
No ani bych nerekl.
8.8.6/8.8.6 97/06/14
[..]
SECURITY: A few systems allow an open with the O_EXCL|O_CREAT open
mode bits set to create a file that is a symbolic link that
points nowhere. This makes it possible to create a root
owned file in an arbitrary directory by inserting the symlink
into a writable directory after the initial lstat(2) check
determined that the file did not exist. The only verified
example of a system having these odd semantics for O_EXCL
and symbolic links was HP-UX prior to version 9.07. Most
systems do not have the problem, since a exclusive create
of a file disallows symbolic links. Systems that have been
verified to NOT have the problem include AIX 3.x, *BSD,
DEC OSF/1, HP-UX 9.07 and higher, Linux, SunOS, Solaris,
and Ultrix. This is a potential exposure on systems that
have this bug and which do not have a MAILER-DAEMON alias
pointing at a legitimate account, since this will cause old
mail to be dropped in /var/tmp/dead.letter.
SECURITY: Problems can occur on poorly managed systems, specifically,
if maps or alias files are in world writable directories.
If your system has alias maps in writable directories, it
is potentially possible for an attacker to replace the .db
(or .dir and .pag) files by symbolic links pointing at
another database; this can be used either to expose
information (e.g., by pointing an alias file at
/etc/spwd.db
and probing for accounts), or as a denial-of-service attack
(by trashing the password database). The fix disallows
symbolic links entirely when rebuilding alias files or on
maps that are in writable directories, and always warns on
writable directories; 8.9 will probably consider writable
directories to be fatal errors. This does not represent an
exposure on systems that have alias files in unwritable
system directories.
SECURITY: disallow .forward or :include: files that are links (hard
or soft) if the parent directory (or any directory in the
path) is writable by anyone other than the owner. This is
similar to the previous case for user files. This change
should not affect most systems, but is necessary to prevent
an attacker who can write the directory from pointing such
files at other files that are readable only by the owner.
SECURITY: Tighten safechown rules: many systems will say that they
have a safe (restricted to root) chown even on files that
are mounted from another system that allows owners to give
away files. The new rules are very strict, trusting file
ownership only in those few cases where the system has
been verified to be at least as paranoid as necessary.
However, it is possible to relax the rules to partially
trust the ownership if the directory path is not world or
group writable. This might allow someone who has a legitimate
:include: file (referenced directly from /etc/aliases) to
become another non-root user if the :include: file is in a
non-writable directory on an NFS-mounted filesystem where
the local system says that giveaway is denied but it is
actually permitted. I believe this to be a very small set
of cases. If in doubt, do not point :include: aliases at
NFS-mounted filesystems.
SECURITY: When setting a numeric group id using the RunAsUser option
(e.g., "O RunAsUser=10:20", the group id would not be set.
Implicit group ids (e.g., "O RunAsUser=mailnull") or alpha
group ids (e.g., "O RunAsUser=mailuser:mailgrp") worked fine.
The user id was still set properly. Problem noted by Uli
Pralle of the Technical University of Berlin.
[..]
MAIL.LOCAL: SECURITY: check to make sure that an attacker doesn't
"slip in" a symbolic link between the lstat(2) call and the
exclusive open. This is only a problem on System V derived
systems that allow an exclusive create on files that are
symbolic links pointing nowhere.
Hynek
--
Hynek Med, xmedh02 at manes.vse.cz
More information about the net
mailing list