Date: Tue, 4 Dec 2001 16:19:34 +0100
From: Matthias Andree <[email protected]>
To: [email protected]Subject: SUSEconfig weakens Postfix chroot security
### INTRODUCTION
Postfix is a mail transfer agent for UNIX-like systems written by Wietse
Venema. "Postfix attempts to be fast, easy to administer, and secure,
while at the same time being sendmail compatible enough to not upset
existing users." (quote from http://www.postfix.org/)
SuSE Linux is a Linux distribution, which the vendor claims as being the
most comprehensive, stable and secure operating system on the market
(http://www.suse.de/en/index.html). SuSE Linux ships - among a lot of
other packages - with Postfix and Sendmail.
### SUMMARY OF THE ISSUE
SuSEconfig sets up the chroot for Postfix insecurely. It gives away
system libraries and configuration files to the user that Postfix
processes in the chroot jail run as, this is not a security issue in
itself, but it weakens one of the security barriers that chroot is
supposed to impose.
SuSEconfig also tampers with the permissions in Postfix' mail submission
directories, which can prevent Postfix from cleaning up after itself,
leading to filled disks and making tracking local malicious users more
difficult.
### SCOPE
SuSE Linux systems that use a SuSE Postfix RPM:
I cannot do research on all the SuSEconfig.postfix versions out there,
so if you run a different version than any of those shown below, check
out yourself with "grep chown /sbin/conf.d/SuSEconfig". For the -63 RPM
mentioned below, this yields:
chown -R postfix /var/spool/postfix/*
I suspect that all Postfix RPMs that SuSE packaged before December 2001
have this weak spot.
--- AFFECTED SUSE RPMS
(I only list here versions that I checked personally.)
unconditionally:
postfix-19991231pl08-26 (SuSE 7.0 CD)
postfix-19991231pl13-3 (ftp.suse.com update area for 7.0)
postfix-20010228-4 (ftp.suse.com update area for 7.1)
if POSTFIX_CHROOT="yes":
postfix-20010228pl04-20 (SuSE 7.3 CD)
if POSTFIX_CHROOT="yes" and POSTFIX_CREATECF="yes":
postfix-20010228pl04-63 (ftp.suse.com update area for 7.3)
--- UNAFFECTED
* SuSE Linux systems that run other mail transfer agents than Postfix
are unaffected.
* SuSE Linux systems that run a manually installed copy of Postfix
(from source of from another RPM maintainer) and that have properly
removed SuSE's RPM (particularly, /sbin/conf.d/SuSEconfig.postfix*
must have been erased) are also unaffected.
### "VENDOR" (MAINTAINER) STATUS
DATE OF CONTACT: 2001-11-28 13:41:10 (UTC)
1. The Software itself is unaffected. I thank Wietse Venema who helped
finding the bug and showed it is not a problem with Postfix or the
Postfix default installation.
2. The Packager who provided the configuration script: I contacted
[email protected] and [email protected] by email about the problems
below on 2001-11-28 (last Wednesday) at 13:41 UTC, I asked them to
respond within 120 hours, and offered to wait longer with announcing
this problem publically in case they have reasons to defer that.
My mail was received by mail.suse.de[213.95.15.193] as queue-ID
0B7BC1E535 at that day, 13:41:10 UTC, but I got no reply, and no new
Postfix RPM had appeared at ftp.suse.com until 14:00 UTC today,
2001-12-03.
I can no longer withhold this information from the public; with the
public release I hope to avoid that other users run into the problems
described below.
### ISSUE ###
--- WEAKNESSES IN SUSECONFIG.POSTFIX
These explanations refer to the postfix-20010228pl04-63 RPM for SuSE
Linux 7.3 i386, as found on ftp.suse.com, unless otherwise stated.
1. (security) (applies to all versions listed AFFECTED above) SuSEconfig
gives away the files it places in the etc/*, lib/*, usr/* chroot
environment to the user that is to be jailed there. In the unlikely
event that a bug in a Postfix daemon (no such bugs are known to me at
this time) allows a break-in, the attacker can replace any lib/* file
and screw up royally.
The chroot rationale is to set up a controlled, small, working
environment for a process without special privileges. The additional
security this can provide is undermined when the process that is run
in the chroot can change that "controlled" environment.
I therefore recommend that the chroot libraries and configuration
files belong to the privileged root user and be configured to mode
755 or 644 so that in no event the process kept in the chroot can
tamper with the libraries and files.
2. SuSEconfig.postfix' chroot setup code contains the line
chown -R postfix /var/spool/postfix/*
This constitues a race against Postfix daemons (no matter if the
Postfix system is running or stopped).
When a mail is injected by means of Postfix' /usr/sbin/sendmail
compatibility program (no matter if that calls upon postdrop itself),
the injected mail file belongs to the user running the sendmail
compatibility program.
When SuSEconfig runs (on systems that have a configuration option to
use chroot, this needs to be "yes") and a local mail injection goes
wrong at the same time, the injecting daemon (sendmail or postdrop)
can no longer remove the broken mail file. This can get nasty if the
injected mail is large, because Postfix can no longer remove the file
that it rejected as "too large". Filled disks may result.
Also, after this chown command has completed, it is more difficult to
figure out which user has injected the offending mail if malice is
suspected.
--- STRANGENESS IN PACKAGING UPDATES
3. SuSE have included the essence of Postfix-20010228-patch07 and
patch08, but stuck with -pl04 otherwise, omitting patch05 and
patch06. The rationale why SuSE chose to not simply update to the
latest bugfix level which does not add features or change documented
behaviour is unexplained and remains unclear. (Please note that since
the release of Postfix-20010228, Postfix-19991231 is unmaintained in
favor of the 20010228 official non beta stable release.)
### ACKNOWLEDGEMENTS
I thank these persons for their help with this issue:
W. Z. Venema - for helping to find the bug
C. Ludwig - for proofreading this announcement
R. Hildebrandt - for proofreading this announcement
### ORIGINATOR/COPYRIGHT/LICENSE/WARRANTIES
(C) 2001 by Matthias Andree.
Permission is granted to copy and/or distribute this document under the
terms of the GNU Free Documentation License, Version 1.1 or any later
version published by the Free Software Foundation; with the Invariant
Sections being THE WHOLE DOCUMENT (each section is invariant). No Front-
or Back-Cover Texts are provided. The GNU Free Documentation License is
available at http://www.gnu.org/licenses/fdl.html.
