On 10/22/2010 11:32 AM, Kousuke Ebihara wrote:
Hi,
I have a question about OS command injection attack in forwarding
e-mail to command.
Postfix alias database allows the following configuration. It forwards
to e-mail to the specified command:
alias: /path/to/command
I think Postfix executes the following command (my guessing...):
No.
Postfix executes these commands directly, nothing is exposed to a shell
or command processor.
The obvious exception is if you run an executable shell script, but you
should always specify the shell to run that with and not rely on the OS
to do that for you.
echo $e_mail | /path/to/command
I suggest you read the documentation for external command execution,
which will tell you what actually happens.
But e-mail is a kind of user inputted value. So I'm worried that
Postfix might execute commands in a content of e-mail.
Postfix does not parse, process or otherwise influence mail sent to
external commands.
Of course, what your chosen external command does is not under postfix's
control.
Of course I believe Postfix doesn't execute command by user inputted
value. But I couldn't find any evidences...
The documentation for local(8) and pipe(8) states EXACTLY how and under
which conditions external commands are executed.
http://www.postfix.org/local.8.html
http://www.postfix.org/pipe.8.html
The postfix documentation exlains at length which security implications
running external commands has, and has an excellent track record.
Nothing will ever be executed as root, and delivery is done as the
mailbox user, period.
--
J.
