Standards, the kernel, and Postfix
Posted Aug 20, 2008 21:21 UTC (Wed) by jzbiciak
(✭ supporter ✭
In reply to: Standards, the kernel, and Postfix
Parent article: Standards, the kernel, and Postfix
Here's the scenario, as I understand it:
- Suppose /etc/inittab is a symlink to /etc/inittab.thishost.
- Now suppose an attacker hard-links /etc/inittab to /home/attacker/maildir/somefile.
- Next, the attacker mails himself a specially formatted email containing inittab records.
The attacker can't modify the symlink in /etc because that directory is not owned or writable by the attacker. The attacker can make a hard link1, though, and that's where the hole is.
To my eyes, the real problem is that it's possible to deliver mail for user $FOO to a file that user $FOO doesn't have write permission on. If you're reading mail via a local mail spool, and the user has control over where it's written, it seems as though some setfsuid is in order when writing it?
1 Hard links tend not to be able to span filesystem boundaries, though, so if /etc and /home are in different filesystems, you may be ok. I don't think anything guarantees or requires that, but it's a common feature of all the *nix filesystems I've worked with, which is admittedly a narrow set.
to post comments)