Control: retitle -1 [chroot] postfix: race condition on cp in
/etc/network/if-*.d/postfix scripts
Control: tag -1 - confirmed security + moreinfo
On Wed, 25 Apr 2018 11:20:40 +0200 Vincent Lefevre <[email protected]> wrote:
Package: postfix
Version: 3.3.0-1
Severity: important
Tags: security
The /etc/network/if-*.d/postfix scripts contain:
if [ ! -x /sbin/resolvconf ]; then
f=/etc/resolv.conf
if ! cp $f $(postconf -hx queue_directory)$f 2>/dev/null; then
exit 0
fi
If two such scripts run concurrently (which is now possible), the two
"cp" commands can also run concurrently, with unexpected results on
the generated resolv.conf file for postfix.
Which unexpected result do you see might occur here?
cp(1) does open(O_TRUNC), write(), close(). The write() will write at
the current file position, - not appending. When two concurrently run
cp(1) processes write it at the same time, the result will be the same,
since the content they're writing will be the same too. So basically,
even if 10 concurrent cp(1) processes are writing at the same time, the
result will be the same resolv.conf in the chroot.
It might be a security issue as a consequence is that an incorrect
DNS server could be used.
I don't see it as a security issue, per se.
Thanks,
/mjt
