Wietse Venema:
> Scott Kitterman:
> > It would be nice to get a read from the Postfix developers if this issue
> > recently reported to oss-security [1] is relevant to Postfix on systems
> > with
> > support for Berkeley DB databases?
>
> Set-[ug]id privilege escalation with environment settings that
> modify the behavior of a library? Not relevant.
Hmm. this is about a fixed pathname in the current directory.
Postfix daemons run with cwd == /var/spool/postfix which is writable
only by root. So that is safe.
Set-gid Postfix non-daemon programs will eventually chdir() to
/var/spool/postfix, but it is possible that PAM or NSS opens a db
file before that time, or that postdrop or postqueue open a db file
while initializing some main.cf setting.
I guess that means one could trick Berkeley DB into reading a message
file in the maildrop directory, if you know the maildrop file name.
Normally, a maildrop file will be removed quickly by the pickup
dameon, so I don't know how realistic an attack like this would be.
Other Postfix non-daemon programs run with the same privileges as
the process that invokes the command. There is no privilege escalation.
Wietse
