Loading ...
Sorry, an error occurred while loading the content.

Re: Dot forward not reading links

Expand Messages
  • wimpunk
    ... No, my point is that if it would point to /dev/zero or /dev/random, it would fail because the file is world writable. If you want to check on malicious
    Message 1 of 10 , Dec 1, 2012
    • 0 Attachment
      On Fri, Nov 30, 2012 at 11:41 PM, Wietse Venema <wietse@...> wrote:
      > wimpunk:
      >> On Fri, Nov 30, 2012 at 11:10 PM, Wietse Venema <wietse@...> wrote:
      >> > wimpunk:
      >> >> Hi,
      >> >>
      >> >> I've been wondering why my .forward files didn't worked like I
      >> >> expected and finally I found out dotforward doesn't accept linked
      >> >> files. Is there any reason why dotforward doesn't read links? In
      >> >> src/local/dotforward.c (line232 of the latest debian version) I wanted
      >> >> to change
      >> >
      >> > What if the symlink points to /dev/zero or /dev/random?
      >> >
      >> > Wietse
      >>
      >> It would fail because the file would be world writable.
      >
      > Right, and your point is that all malicious symlinks under all
      > user's home directories will always resolve to a world-writable
      > file, so I should not have to worry about such things.
      >
      > Wietse

      No, my point is that if it would point to /dev/zero or /dev/random, it
      would fail because the file is world writable.

      If you want to check on malicious links, postfix could verify if the
      link it points to is a file with the correct features.
      I believe there is no need for such check. If you're afraid of
      malicious files, you better just disable the userforward feature.
      People could write their own malicious files. There is actually not
      that much difference between doing a cp or doing a ln, or at least not
      from my point of view. I'm pretty much interested in what you
      consider as a malicious file and why it should be considered as a much
      bigger risk than using the normal dotforward files.

      The reason I searched for this is because I just wanted to make my own
      management easier. I had a .forward+a file which filtered the mail to
      a specific folder in my mailbox. Because I wanted the mail send to
      ${user}+b and ${user}+c handled the same way, I created a link named
      .forward+b and .forward+c which pointed to .forward+a but as we know,
      it didn't worked.

      Regards,

      wimpunk.
    • Wietse Venema
      ... The .forward file is a program that can execute arbitrary shell commands and that can write to arbitrary files, with the privileges of the recipient
      Message 2 of 10 , Dec 1, 2012
      • 0 Attachment
        wimpunk:
        > If you want to check on malicious links, postfix could verify if the
        > link it points to is a file with the correct features.

        The .forward file is a "program" that can execute arbitrary shell
        commands and that can write to arbitrary files, with the privileges
        of the recipient (which may be "root"). All this makes .forward a
        sensitive file.

        Common-sense measures to protect a sensitive file are:

        - Keeping the file within a directory that is writable only by the
        recipient or by the system adminstrator.

        - Using a "hidden" name in the user's home directory, such that the
        file isn't easily destroyed by mistake.

        If you want Postfix to look for .forward files in other locations,
        then you can edit the forward_path parameter setting. The default
        is to look under the home directory.

        forward_path = $home/.forward${recipient_delimiter}${extension},
        $home/.forward

        Here is an example with per-user files under /var/forward:

        forward_path = /var/forward/$user

        Of course you can mix the two models.

        Wietse
      • /dev/rob0
        ... Hard links work fine. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
        Message 3 of 10 , Dec 1, 2012
        • 0 Attachment
          On Sat, Dec 01, 2012 at 09:51:05AM +0100, wimpunk wrote:
          > The reason I searched for this is because I just wanted to make my
          > own management easier. I had a .forward+a file which filtered the
          > mail to a specific folder in my mailbox. Because I wanted the mail
          > send to ${user}+b and ${user}+c handled the same way, I created a
          > link named .forward+b and .forward+c which pointed to .forward+a
          > but as we know, it didn't worked.

          Hard links work fine.
          --
          http://rob0.nodns4.us/ -- system administration and consulting
          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
        • wimpunk
          ... Thanks for the feedback but still I don t get the point why it would make any difference between using a link or a file as .forward. That link could only
          Message 4 of 10 , Dec 4, 2012
          • 0 Attachment
            On Sat, Dec 1, 2012 at 2:52 PM, Wietse Venema <wietse@...> wrote:
            > wimpunk:
            >> If you want to check on malicious links, postfix could verify if the
            >> link it points to is a file with the correct features.
            >
            > The .forward file is a "program" that can execute arbitrary shell
            > commands and that can write to arbitrary files, with the privileges
            > of the recipient (which may be "root"). All this makes .forward a
            > sensitive file.
            >
            > Common-sense measures to protect a sensitive file are:
            >
            > - Keeping the file within a directory that is writable only by the
            > recipient or by the system adminstrator.
            >
            > - Using a "hidden" name in the user's home directory, such that the
            > file isn't easily destroyed by mistake.
            >
            > If you want Postfix to look for .forward files in other locations,
            > then you can edit the forward_path parameter setting. The default
            > is to look under the home directory.
            >
            > forward_path = $home/.forward${recipient_delimiter}${extension},
            > $home/.forward
            >
            > Here is an example with per-user files under /var/forward:
            >
            > forward_path = /var/forward/$user
            >
            > Of course you can mix the two models.
            >
            > Wietse

            Thanks for the feedback but still I don't get the point why it would
            make any difference between using a link or a file as .forward. That
            link could only be written by the sysadmin or me. The only thing you
            have to trust is having users with a little common sense. But you
            also need it if you want to use user defined .forward files.


            wimpunk.
          • wimpunk
            ... Sorry for the late reply but it sounds like a good plan. :-) Tnx! wimpunk.
            Message 5 of 10 , Dec 4, 2012
            • 0 Attachment
              On Sat, Dec 1, 2012 at 5:49 PM, /dev/rob0 <rob0@...> wrote:
              > On Sat, Dec 01, 2012 at 09:51:05AM +0100, wimpunk wrote:
              >> The reason I searched for this is because I just wanted to make my
              >> own management easier. I had a .forward+a file which filtered the
              >> mail to a specific folder in my mailbox. Because I wanted the mail
              >> send to ${user}+b and ${user}+c handled the same way, I created a
              >> link named .forward+b and .forward+c which pointed to .forward+a
              >> but as we know, it didn't worked.
              >
              > Hard links work fine.

              Sorry for the late reply but it sounds like a good plan. :-) Tnx!

              wimpunk.
            • Wietse Venema
              ... HARDlinks are OK, SYMlinks are not. I can t let your PC mentality dictate Postfix s security policies. Wietse
              Message 6 of 10 , Dec 4, 2012
              • 0 Attachment
                wimpunk:
                > Thanks for the feedback but still I don't get the point why it would
                > make any difference between using a link or a file as .forward. That
                > link could only be written by the sysadmin or me. The only thing you
                > have to trust is having users with a little common sense. But you

                HARDlinks are OK, SYMlinks are not. I can't let your PC mentality
                dictate Postfix's security policies.

                Wietse
              Your message has been successfully submitted and would be delivered to recipients shortly.