Luc Pardon: > The first question is obviously: can we disallow symlinks to the outside > world by definition? I'd say the answer is yes, but $(whoami) ?
Here is some background on pathname safety. A symlink is unsafe if it resolves to an unsafe pathname. A pathname is unsafe is the target itself has unsafe permissions, or if any parent directories have unsafe permissions, or if it resolves thrugh an unsafe symlink. That's a recursive definition, because pathnames are recursive. And what exactly is a safe pathname? A pathname is safe-for-root if only root has write permission to the target itself or to its parents. A pathname is safe-for-user if only the user and root can write to to the target itself or to its parents. Pathnames under $config_directory files must be safe-for-root. Pathnames under $data_directory files must be safe-for-postfix. Postfix queue files must be safe-for-postfix. The non-queue files under $queue_directory must be safe-for-root. See also: https://www.ndss-symposium.org/ndss2010/where-do-you-want-go-today-escalating-privileges-pathname-manipulation/ That is a bit beyond what can be done with portable shell utilities alone. I think that it would not be a good idea to make GNU binutils a hard dependency for Postfix. The pathname check would need to be done in a more portable language: possible candidates are Perl (this is already a build dependency) or C. > Luc > > ================================== > #!/bin/sh > > # This would not be needed if integrated into postfix-script: > BASE=$(postconf -hx config_directory | sed "s/\n$//") > > # Search for dangerous symlinks in $1 and its subdirs > function inspect > { > DIR=$1 > > for f in $DIR/* ; do > if [ -L $f ]; then > # if it points outside $BASE, it starts with "../.." May also be unsafe if it starts with '/'. Wietse
