Normal users can read /etc/postfix/mysql-*.cf, which contains the password used for the mailsql database, which in turn means any normal user can cause havoc with your mail system. I have experimented with changing permissions and ownership of the files, to no avail. Reproducible: Always Steps to Reproduce:
This is a bug with postfix, NOT MySQL.
Correct. My apologies for being a little vague initially.
You left out critical information: version of postfix affected and emerge --info screen. also, to my knowledge the postfix ebuild (at least the ones I worked on) do _not_ install any /etc/postfix/mysql-*.cf files. In fact, there are only two .cf files that postfix recognizes: main and master. Everything else is maps that you configured in main.cf and those things shouldn't be called .cf and they shouldn't be stored in the /etc/postfix (but this is certainly not a requirement nor restriction in any way). But if you are going to use mysql (or any other db) maps, you need to take care to protect them from users. Since this is something you created, I can't see how the postfix ebuild fix this? Or am I not understanding your problem? Incidentally, I have several mysql maps for various things (virtual users, mailman aliases, etc) and mine are all secured: ike staff # ls -l /etc/mail total 48 -rw-r--r-- 1 root mail 113 Nov 9 13:16 aliases -rw-r--r-- 1 root mail 12288 Nov 9 13:17 aliases.db -rw-r----- 1 root postfix 129 Nov 9 13:16 domains -rw-r----- 1 root postfix 12288 Nov 9 13:17 domains.db -rw-r----- 1 root postfix 188 Nov 9 13:19 mailman -rw-r----- 1 root postfix 222 Nov 9 13:21 relocated drwxr-xr-x 2 root root 72 Nov 3 19:26 spamassassin -rw-r----- 1 root postfix 263 Dec 5 13:33 transport -rw-r----- 1 root postfix 243 Dec 5 13:33 virtual As you can see, the mailman, relocated, transport and virtual files have "safe" permissions and those are my mysql maps. To summarize, can you elaborate what the problem is?
Max, The problem is fully explained on http://forums.gentoo.org/viewtopic.php?t=93894. Basically, I couldn't get postfix to deliver to virtual mailboxes after protecting changing the permissions on the maps to "rw" for root and "r" for "mail" (the group). I see this is effectively the same as what you have, only your group ownership is postfix. I will try again using permissions like those you have and then I'll see if it will work. As for your other comments, firstly I never claimed that changing the postfix e-build would fix the problem. I am aware that there are no mysql maps in a standard postfix installation. In fact, I originally posted this as a bug in the Virtual mailhosting howto, since I figured it was most likely a question of ownership and permissions, but I just couldn't figure out what they should be, nor could anyone else on the forum thread I mentioned earlier in this comment. I reasoned that since this security issue was a concern with a specific postfix configuration (i.e. that described in the guide), it was only fitting that it be reported to and investigated by the persons responsible for that document, with the ultimate goal of including the relevant ownership and permissions in the document. Secondly, you say that map files should not be named *.cf nor should they be stored in /etc/postfix. I honestly don't see why you said that ... since the map files do relate to postfix, what better place to put them than /etc/postfix? What's the difference whether map files are named .cf, .map, .foo or .bar? Anyway, that's not a big concern. What does concern me is that there seems to be a lack of continuity here between the postfix maintainer(s) (I assume that's what you are) and the folks who wrote the virtual mailhosting guide, since that was where I was working from and that was how the guide specified the files should be named/saved. I imagine it could get rather confusing for a new user, receiving conflicting information from two equally authoratative groups. To summarise: I still believe this is merely an oversight on the part of those who wrote the virtual mailhosting guide, and should be investigated by them. The real issue is summarised by what you said, i.e. "But if you are going to use mysql (or any other db) maps, you need to take care to protect them from users.". I am sure it was a simple oversight that the guide's authors didn't think of this. P.S. after re-reading this, I realise I might sound a little cocky. This is not the case at all. ;-)
Max, I used the same ownership and permissions that you showed and now it works perfectly. I think the only difference was that I had the group ownership set to "mail", not "postfix". This needs to be brought to the attention of the folks who wrote the virtual mailhosting guide but I'm not sure how to change this now. Do I just close this bug report and open a new one?
We'll just reassign it to the appropriate people.
Created attachment 25138 [details, diff] Patch to virt-mail-howto.xml This patch adds a chmod/chgrp sequence to fix the permissions. Anyone care to double-check?
The patch is perfect, except that /etc/mail/mysql-*.cf should be /etc/postfix/mysql-*.cf.
Thanks. Committed to CVS.
