The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


SUSEconfig weakens Postfix chroot security


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 4 Dec 2001 16:19:34 +0100
From: Matthias Andree <[email protected]>
To: [email protected]
Subject: SUSEconfig weakens Postfix chroot security

### INTRODUCTION

Postfix is a mail transfer agent for UNIX-like systems written by Wietse
Venema. "Postfix attempts to be fast, easy to administer, and secure,
while at the same time being sendmail compatible enough to not upset
existing users." (quote from http://www.postfix.org/)

SuSE Linux is a Linux distribution, which the vendor claims as being the
most comprehensive, stable and secure operating system on the market
(http://www.suse.de/en/index.html). SuSE Linux ships - among a lot of
other packages - with Postfix and Sendmail.


### SUMMARY OF THE ISSUE

SuSEconfig sets up the chroot for Postfix insecurely. It gives away
system libraries and configuration files to the user that Postfix
processes in the chroot jail run as, this is not a security issue in
itself, but it weakens one of the security barriers that chroot is
supposed to impose.

SuSEconfig also tampers with the permissions in Postfix' mail submission
directories, which can prevent Postfix from cleaning up after itself,
leading to filled disks and making tracking local malicious users more
difficult.


### SCOPE

SuSE Linux systems that use a SuSE Postfix RPM:

I cannot do research on all the SuSEconfig.postfix versions out there,
so if you run a different version than any of those shown below, check
out yourself with "grep chown /sbin/conf.d/SuSEconfig".  For the -63 RPM
mentioned below, this yields:

        chown -R postfix /var/spool/postfix/*

I suspect that all Postfix RPMs that SuSE packaged before December 2001
have this weak spot.

--- AFFECTED SUSE RPMS

    (I only list here versions that I checked personally.)

    unconditionally:
    postfix-19991231pl08-26 (SuSE 7.0 CD)
    postfix-19991231pl13-3  (ftp.suse.com update area for 7.0)
    postfix-20010228-4      (ftp.suse.com update area for 7.1)

    if POSTFIX_CHROOT="yes":
    postfix-20010228pl04-20 (SuSE 7.3 CD)

    if POSTFIX_CHROOT="yes" and POSTFIX_CREATECF="yes":
    postfix-20010228pl04-63 (ftp.suse.com update area for 7.3)

--- UNAFFECTED

    * SuSE Linux systems that run other mail transfer agents than Postfix
    are unaffected.

    * SuSE Linux systems that run a manually installed copy of Postfix
    (from source of from another RPM maintainer) and that have properly
    removed SuSE's RPM (particularly, /sbin/conf.d/SuSEconfig.postfix*
    must have been erased) are also unaffected.


### "VENDOR" (MAINTAINER) STATUS

DATE OF CONTACT: 2001-11-28 13:41:10 (UTC)

1. The Software itself is unaffected. I thank Wietse Venema who helped
   finding the bug and showed it is not a problem with Postfix or the
   Postfix default installation.

2. The Packager who provided the configuration script: I contacted
   [email protected] and [email protected] by email about the problems
   below on 2001-11-28 (last Wednesday) at 13:41 UTC, I asked them to
   respond within 120 hours, and offered to wait longer with announcing
   this problem publically in case they have reasons to defer that.

   My mail was received by mail.suse.de[213.95.15.193] as queue-ID
   0B7BC1E535 at that day, 13:41:10 UTC, but I got no reply, and no new
   Postfix RPM had appeared at ftp.suse.com until 14:00 UTC today,
   2001-12-03.

I can no longer withhold this information from the public; with the
public release I hope to avoid that other users run into the problems
described below.


### ISSUE ###

--- WEAKNESSES IN SUSECONFIG.POSTFIX

These explanations refer to the postfix-20010228pl04-63 RPM for SuSE
Linux 7.3 i386, as found on ftp.suse.com, unless otherwise stated.

1. (security) (applies to all versions listed AFFECTED above) SuSEconfig
   gives away the files it places in the etc/*, lib/*, usr/* chroot
   environment to the user that is to be jailed there.  In the unlikely
   event that a bug in a Postfix daemon (no such bugs are known to me at
   this time) allows a break-in, the attacker can replace any lib/* file
   and screw up royally.

   The chroot rationale is to set up a controlled, small, working
   environment for a process without special privileges. The additional
   security this can provide is undermined when the process that is run
   in the chroot can change that "controlled" environment.

   I therefore recommend that the chroot libraries and configuration
   files belong to the privileged root user and be configured to mode
   755 or 644 so that in no event the process kept in the chroot can
   tamper with the libraries and files.

2. SuSEconfig.postfix' chroot setup code contains the line

        chown -R postfix /var/spool/postfix/*

   This constitues a race against Postfix daemons (no matter if the
   Postfix system is running or stopped).

   When a mail is injected by means of Postfix' /usr/sbin/sendmail
   compatibility program (no matter if that calls upon postdrop itself),
   the injected mail file belongs to the user running the sendmail
   compatibility program.

   When SuSEconfig runs (on systems that have a configuration option to
   use chroot, this needs to be "yes") and a local mail injection goes
   wrong at the same time, the injecting daemon (sendmail or postdrop)
   can no longer remove the broken mail file. This can get nasty if the
   injected mail is large, because Postfix can no longer remove the file
   that it rejected as "too large". Filled disks may result.

   Also, after this chown command has completed, it is more difficult to
   figure out which user has injected the offending mail if malice is
   suspected.

--- STRANGENESS IN PACKAGING UPDATES

3. SuSE have included the essence of Postfix-20010228-patch07 and
   patch08, but stuck with -pl04 otherwise, omitting patch05 and
   patch06.  The rationale why SuSE chose to not simply update to the
   latest bugfix level which does not add features or change documented
   behaviour is unexplained and remains unclear. (Please note that since
   the release of Postfix-20010228, Postfix-19991231 is unmaintained in
   favor of the 20010228 official non beta stable release.)


### ACKNOWLEDGEMENTS

   I thank these persons for their help with this issue:

   W. Z. Venema         - for helping to find the bug
   C. Ludwig            - for proofreading this announcement
   R. Hildebrandt       - for proofreading this announcement


### ORIGINATOR/COPYRIGHT/LICENSE/WARRANTIES

(C) 2001 by Matthias Andree.

Permission is granted to copy and/or distribute this document under the
terms of the GNU Free Documentation License, Version 1.1 or any later
version published by the Free Software Foundation; with the Invariant
Sections being THE WHOLE DOCUMENT (each section is invariant). No Front-
or Back-Cover Texts are provided. The GNU Free Documentation License is
available at http://www.gnu.org/licenses/fdl.html.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру