2
0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 05:38:06 +00:00

postfix-2.5.4

This commit is contained in:
Wietse Venema 2008-08-14 00:00:00 -05:00 committed by Viktor Dukhovni
parent fa3a2cce64
commit 22aa53b314
4 changed files with 41 additions and 4 deletions

View File

@ -14411,3 +14411,22 @@ Apologies for any names omitted.
by the recipient. Requested by Sebastian Krahmer, SuSE.
Specify "strict_mailbox_ownership=no" to ignore ownership
discrepancies. Files: local/mailbox.c, virtual/mailbox.c.
20080804
Bugfix: dangling pointer in vstring_sprintf_prepend().
File: util/vstring.c.
20080814
Security: some systems have changed their link() semantics,
and will hardlink a symlink, contrary to POSIX and XPG4.
Sebastian Krahmer, SuSE. File: util/safe_open.c.
The solution introduces the following incompatible change:
when the target of mail delivery is a symlink, the parent
directory of that symlink must now be writable by root only
(in addition to the already existing requirement that the
symlink itself is owned by root). This change will break
legitimate configurations that deliver mail to a symbolic
link in a directory with less restrictive permissions.

View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20080726"
#define MAIL_VERSION_NUMBER "2.5.3"
#define MAIL_RELEASE_DATE "20080814"
#define MAIL_VERSION_NUMBER "2.5.4"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

View File

@ -83,6 +83,7 @@
#include <msg.h>
#include <vstream.h>
#include <vstring.h>
#include <stringops.h>
#include <safe_open.h>
/* safe_open_exist - open existing file */
@ -138,13 +139,29 @@ static VSTREAM *safe_open_exist(const char *path, int flags,
* for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks
* owned by a non-root user. This would open a security hole when
* delivering mail to a world-writable mailbox directory.
*
* Sebastian Krahmer of SuSE brought to my attention that some systems have
* changed their semantics of link(symlink, newpath), such that the
* result is a hardlink to the symlink. For this reason, we now also
* require that the symlink's parent directory is writable only by root.
*/
else if (lstat(path, &lstat_st) < 0) {
vstring_sprintf(why, "file status changed unexpectedly: %m");
errno = EPERM;
} else if (S_ISLNK(lstat_st.st_mode)) {
if (lstat_st.st_uid == 0)
return (fp);
if (lstat_st.st_uid == 0) {
VSTRING *parent_buf = vstring_alloc(100);
const char *parent_path = sane_dirname(parent_buf, path);
struct stat parent_st;
int parent_ok;
parent_ok = (stat(parent_path, &parent_st) == 0 /* not lstat */
&& parent_st.st_uid == 0
&& (parent_st.st_mode & (S_IWGRP | S_IWOTH)) == 0);
vstring_free(parent_buf);
if (parent_ok)
return (fp);
}
vstring_sprintf(why, "file is a symbolic link");
errno = EPERM;
} else if (fstat_st->st_dev != lstat_st.st_dev

View File

@ -624,6 +624,7 @@ VSTRING *vstring_sprintf_prepend(VSTRING *vp, const char *format,...)
result_len = VSTRING_LEN(vp);
/* Construct: old|new|old|free */
VSTRING_SPACE(vp, old_len);
vstring_memcat(vp, vstring_str(vp), old_len);
/* Construct: new|old|free */