Loading ...
Sorry, an error occurred while loading the content.

Dot forward not reading links

Expand Messages
  • wimpunk
    Hi, I ve been wondering why my .forward files didn t worked like I expected and finally I found out dotforward doesn t accept linked files. Is there any
    Message 1 of 10 , Nov 30, 2012
    • 0 Attachment
      Hi,

      I've been wondering why my .forward files didn't worked like I
      expected and finally I found out dotforward doesn't accept linked
      files. Is there any reason why dotforward doesn't read links? In
      src/local/dotforward.c (line232 of the latest debian version) I wanted
      to change

      if (S_ISREG(st.st_mode) == 0) {

      to

      if ((S_ISREG(st.st_mode) == 0) && (S_ISLNK(st.st_mode) == 0)) {

      and I was wondering why it didn't be that way already.

      Regards,

      wimpunk.
    • Wietse Venema
      ... What if the symlink points to /dev/zero or /dev/random? Wietse
      Message 2 of 10 , Nov 30, 2012
      • 0 Attachment
        wimpunk:
        > Hi,
        >
        > I've been wondering why my .forward files didn't worked like I
        > expected and finally I found out dotforward doesn't accept linked
        > files. Is there any reason why dotforward doesn't read links? In
        > src/local/dotforward.c (line232 of the latest debian version) I wanted
        > to change

        What if the symlink points to /dev/zero or /dev/random?

        Wietse
      • wimpunk
        ... It would fail because the file would be world writable. wimpunk.
        Message 3 of 10 , Nov 30, 2012
        • 0 Attachment
          On Fri, Nov 30, 2012 at 11:10 PM, Wietse Venema <wietse@...> wrote:
          > wimpunk:
          >> Hi,
          >>
          >> I've been wondering why my .forward files didn't worked like I
          >> expected and finally I found out dotforward doesn't accept linked
          >> files. Is there any reason why dotforward doesn't read links? In
          >> src/local/dotforward.c (line232 of the latest debian version) I wanted
          >> to change
          >
          > What if the symlink points to /dev/zero or /dev/random?
          >
          > Wietse

          It would fail because the file would be world writable.

          wimpunk.
        • Wietse Venema
          ... Right, and your point is that all malicious symlinks under all user s home directories will always resolve to a world-writable file, so I should not have
          Message 4 of 10 , Nov 30, 2012
          • 0 Attachment
            wimpunk:
            > On Fri, Nov 30, 2012 at 11:10 PM, Wietse Venema <wietse@...> wrote:
            > > wimpunk:
            > >> Hi,
            > >>
            > >> I've been wondering why my .forward files didn't worked like I
            > >> expected and finally I found out dotforward doesn't accept linked
            > >> files. Is there any reason why dotforward doesn't read links? In
            > >> src/local/dotforward.c (line232 of the latest debian version) I wanted
            > >> to change
            > >
            > > What if the symlink points to /dev/zero or /dev/random?
            > >
            > > Wietse
            >
            > It would fail because the file would be world writable.

            Right, and your point is that all malicious symlinks under all
            user's home directories will always resolve to a world-writable
            file, so I should not have to worry about such things.

            Wietse
          • wimpunk
            ... No, my point is that if it would point to /dev/zero or /dev/random, it would fail because the file is world writable. If you want to check on malicious
            Message 5 of 10 , Dec 1, 2012
            • 0 Attachment
              On Fri, Nov 30, 2012 at 11:41 PM, Wietse Venema <wietse@...> wrote:
              > wimpunk:
              >> On Fri, Nov 30, 2012 at 11:10 PM, Wietse Venema <wietse@...> wrote:
              >> > wimpunk:
              >> >> Hi,
              >> >>
              >> >> I've been wondering why my .forward files didn't worked like I
              >> >> expected and finally I found out dotforward doesn't accept linked
              >> >> files. Is there any reason why dotforward doesn't read links? In
              >> >> src/local/dotforward.c (line232 of the latest debian version) I wanted
              >> >> to change
              >> >
              >> > What if the symlink points to /dev/zero or /dev/random?
              >> >
              >> > Wietse
              >>
              >> It would fail because the file would be world writable.
              >
              > Right, and your point is that all malicious symlinks under all
              > user's home directories will always resolve to a world-writable
              > file, so I should not have to worry about such things.
              >
              > Wietse

              No, my point is that if it would point to /dev/zero or /dev/random, it
              would fail because the file is world writable.

              If you want to check on malicious links, postfix could verify if the
              link it points to is a file with the correct features.
              I believe there is no need for such check. If you're afraid of
              malicious files, you better just disable the userforward feature.
              People could write their own malicious files. There is actually not
              that much difference between doing a cp or doing a ln, or at least not
              from my point of view. I'm pretty much interested in what you
              consider as a malicious file and why it should be considered as a much
              bigger risk than using the normal dotforward files.

              The reason I searched for this is because I just wanted to make my own
              management easier. I had a .forward+a file which filtered the mail to
              a specific folder in my mailbox. Because I wanted the mail send to
              ${user}+b and ${user}+c handled the same way, I created a link named
              .forward+b and .forward+c which pointed to .forward+a but as we know,
              it didn't worked.

              Regards,

              wimpunk.
            • Wietse Venema
              ... The .forward file is a program that can execute arbitrary shell commands and that can write to arbitrary files, with the privileges of the recipient
              Message 6 of 10 , Dec 1, 2012
              • 0 Attachment
                wimpunk:
                > If you want to check on malicious links, postfix could verify if the
                > link it points to is a file with the correct features.

                The .forward file is a "program" that can execute arbitrary shell
                commands and that can write to arbitrary files, with the privileges
                of the recipient (which may be "root"). All this makes .forward a
                sensitive file.

                Common-sense measures to protect a sensitive file are:

                - Keeping the file within a directory that is writable only by the
                recipient or by the system adminstrator.

                - Using a "hidden" name in the user's home directory, such that the
                file isn't easily destroyed by mistake.

                If you want Postfix to look for .forward files in other locations,
                then you can edit the forward_path parameter setting. The default
                is to look under the home directory.

                forward_path = $home/.forward${recipient_delimiter}${extension},
                $home/.forward

                Here is an example with per-user files under /var/forward:

                forward_path = /var/forward/$user

                Of course you can mix the two models.

                Wietse
              • /dev/rob0
                ... Hard links work fine. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
                Message 7 of 10 , Dec 1, 2012
                • 0 Attachment
                  On Sat, Dec 01, 2012 at 09:51:05AM +0100, wimpunk wrote:
                  > The reason I searched for this is because I just wanted to make my
                  > own management easier. I had a .forward+a file which filtered the
                  > mail to a specific folder in my mailbox. Because I wanted the mail
                  > send to ${user}+b and ${user}+c handled the same way, I created a
                  > link named .forward+b and .forward+c which pointed to .forward+a
                  > but as we know, it didn't worked.

                  Hard links work fine.
                  --
                  http://rob0.nodns4.us/ -- system administration and consulting
                  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                • wimpunk
                  ... Thanks for the feedback but still I don t get the point why it would make any difference between using a link or a file as .forward. That link could only
                  Message 8 of 10 , Dec 4, 2012
                  • 0 Attachment
                    On Sat, Dec 1, 2012 at 2:52 PM, Wietse Venema <wietse@...> wrote:
                    > wimpunk:
                    >> If you want to check on malicious links, postfix could verify if the
                    >> link it points to is a file with the correct features.
                    >
                    > The .forward file is a "program" that can execute arbitrary shell
                    > commands and that can write to arbitrary files, with the privileges
                    > of the recipient (which may be "root"). All this makes .forward a
                    > sensitive file.
                    >
                    > Common-sense measures to protect a sensitive file are:
                    >
                    > - Keeping the file within a directory that is writable only by the
                    > recipient or by the system adminstrator.
                    >
                    > - Using a "hidden" name in the user's home directory, such that the
                    > file isn't easily destroyed by mistake.
                    >
                    > If you want Postfix to look for .forward files in other locations,
                    > then you can edit the forward_path parameter setting. The default
                    > is to look under the home directory.
                    >
                    > forward_path = $home/.forward${recipient_delimiter}${extension},
                    > $home/.forward
                    >
                    > Here is an example with per-user files under /var/forward:
                    >
                    > forward_path = /var/forward/$user
                    >
                    > Of course you can mix the two models.
                    >
                    > Wietse

                    Thanks for the feedback but still I don't get the point why it would
                    make any difference between using a link or a file as .forward. That
                    link could only be written by the sysadmin or me. The only thing you
                    have to trust is having users with a little common sense. But you
                    also need it if you want to use user defined .forward files.


                    wimpunk.
                  • wimpunk
                    ... Sorry for the late reply but it sounds like a good plan. :-) Tnx! wimpunk.
                    Message 9 of 10 , Dec 4, 2012
                    • 0 Attachment
                      On Sat, Dec 1, 2012 at 5:49 PM, /dev/rob0 <rob0@...> wrote:
                      > On Sat, Dec 01, 2012 at 09:51:05AM +0100, wimpunk wrote:
                      >> The reason I searched for this is because I just wanted to make my
                      >> own management easier. I had a .forward+a file which filtered the
                      >> mail to a specific folder in my mailbox. Because I wanted the mail
                      >> send to ${user}+b and ${user}+c handled the same way, I created a
                      >> link named .forward+b and .forward+c which pointed to .forward+a
                      >> but as we know, it didn't worked.
                      >
                      > Hard links work fine.

                      Sorry for the late reply but it sounds like a good plan. :-) Tnx!

                      wimpunk.
                    • Wietse Venema
                      ... HARDlinks are OK, SYMlinks are not. I can t let your PC mentality dictate Postfix s security policies. Wietse
                      Message 10 of 10 , Dec 4, 2012
                      • 0 Attachment
                        wimpunk:
                        > Thanks for the feedback but still I don't get the point why it would
                        > make any difference between using a link or a file as .forward. That
                        > link could only be written by the sysadmin or me. The only thing you
                        > have to trust is having users with a little common sense. But you

                        HARDlinks are OK, SYMlinks are not. I can't let your PC mentality
                        dictate Postfix's security policies.

                        Wietse
                      Your message has been successfully submitted and would be delivered to recipients shortly.