On 01/28/2018 01:53 PM, Viktor Dukhovni wrote:
>
> You're not supposed to do this "by hand". Instead, when upgrading from
> source, run:
>
> # postfix set-permissions upgrade-configuration
>
How sensitive is the $mail_owner account? From what I gather, the
set-permissions script (which defers to post-install) is intended to be
run more than once on the same system. It reads postfix-files, which
contains e.g.
$queue_directory/active:d:$mail_owner:-:700:ucr
and then in post-install, lines like that are read...
while IFS=: read path type owner group mode flags junk
and the flags are parsed:
case $flags in *u*) upgrade_flag=1;; *) upgrade_flag=;; esac
case $flags in *c*) create_flag=1;; *) create_flag=;; esac
case $flags in *r*) recursive="-R";; *) recursive=;; esac
In particular, that will result in "chown -R" being called on my active
queue directory whenever "postfix set-permissions" is run:
test -n "$set_permission" && {
chown $recursive $owner $path || exit 1
My question is, can't the $mail_owner -- who knows that this is going to
take place eventually -- throw a hard link into the active queue that
points to a sensitive file? Proof of concept:
$ sudo su postfix -s /bin/sh -c 'ln /etc/passwd
/var/spool/postfix/active/x'
$ sudo postfix set-permissions
$ ls /etc/passwd
-rw-r--r-- 2 postfix root 1.4K 2018-01-27 11:47 /etc/passwd