snapshot-20011217

postfix/HISTORY

@@ -5795,8 +5795,22 @@ Apologies for any names omitted.
 	when the next line starts with whitespace; a comment that
 	is preceded by whitespace does not break multi-line input.
 
+20011217
+
+	Compatibility: Sendmail now has a -L option to set the
+	syslogging label. Postfix sendmail uses syslog_name instead,
+	and ignores the -L option.
+
+	Security: subtle hardening of the Postfix chroot jail,
+	Postfix queue file permissions and access methods, in case
+	someone compromises the postfix account.  Michael Tokarev
+	claims he got the insights from Solar Designer.  Files:
+	master/master_wakeup.c, util/fifo_trigger.c, postfix-script.
+
 Open problems:
 
+	Low: warn about undomained hostnames instead of aborting.
+
 	Low: after reorganizing configuration parameters, add flags
 	to all parameters whose value can be read from file.
 

postfix/RELEASE_NOTES

@@ -1,16 +1,18 @@
-Incompatible changes with snapshot-20011216
+Incompatible changes with snapshot-20011217
 ===========================================
 
-Postfix configuration file comments no longer span multiple lines
-when the next line starts with whitespace. This may cause unexpected
-behavior with existing, improperly formatted, configuration files.
+Postfix configuration file comments no longer continue on the next
+line when that next line starts with whitespace. This change avoids
+surprises, but it may cause unexpected behavior with existing,
+poorly formatted, configuration files. Caveat user.
 
-Major changes with snapshot-20011216
+Major changes with snapshot-20011217
 ====================================
 
 Postfix configuration files now support whitespace before comments.
 This allows you to comment out just one line in the middle of a
-block of multi-line input.
+block of multi-line input. A comment that starts at the beginning
+of a line always terminates previous data.
 
 Incompatible changes with snapshot-20011210
 ===========================================

postfix/conf/postfix-script-nosgid

@@ -184,7 +184,6 @@ check)
 		$WARN creating missing Postfix pid directory
 		mkdir pid || exit 1
 		chmod 755 pid
-		chown $mail_owner pid
 	}
 	for dir in incoming active bounce defer deferred flush saved corrupt; do
 		test -d $dir || {

postfix/conf/postfix-script-sgid

@@ -185,7 +185,6 @@ check)
 		$WARN creating missing Postfix pid directory
 		mkdir pid || exit 1
 		chmod 755 pid
-		chown $mail_owner pid
 	}
 	for dir in incoming active bounce defer deferred flush saved corrupt; do
 		test -d $dir || {

postfix/html/sendmail.1.html

@@ -79,6 +79,10 @@ SENDMAIL(1)                                           SENDMAIL(1)
        <b>-I</b>     Initialize  alias database. See the <b>newaliases</b> com-
               mand above.
 
+       <b>-L</b> <i>label</i> (ignored)
+              The logging label. Use the  <b>syslog</b><i>_</i><b>name</b>  configura-
+              tion parameter instead.
+
        <b>-N</b> <i>dsn</i> (ignored)
               Delivery  status  notification  control. Currently,
               Postfix does not implement <b>DSN</b>.

postfix/man/man1/sendmail.1

@@ -71,6 +71,9 @@ Gateway (relay) submission, as opposed to initial user submission.
 .IP \fB-I\fR
 Initialize alias database. See the \fBnewaliases\fR
 command above.
+.IP "\fB-L \fIlabel\fR (ignored)"
+The logging label. Use the \fBsyslog_name\fR configuration
+parameter instead.
 .IP "\fB-N \fIdsn\fR (ignored)"
 Delivery status notification control. Currently, Postfix does
 not implement \fBDSN\fR.

postfix/src/global/mail_version.h

@@ -15,7 +15,7 @@
   * Version of this program.
   */
 #define VAR_MAIL_VERSION	"mail_version"
-#define DEF_MAIL_VERSION	"Snapshot-20011216"
+#define DEF_MAIL_VERSION	"Snapshot-20011217"
 extern char *var_mail_version;
 
 /* LICENSE

postfix/src/master/Makefile.in

@@ -203,11 +203,14 @@ master_wakeup.o: ../../include/sys_defs.h
 master_wakeup.o: ../../include/msg.h
 master_wakeup.o: ../../include/trigger.h
 master_wakeup.o: ../../include/events.h
+master_wakeup.o: ../../include/set_eugid.h
+master_wakeup.o: ../../include/set_ugid.h
 master_wakeup.o: ../../include/mail_proto.h
 master_wakeup.o: ../../include/vstream.h
 master_wakeup.o: ../../include/vbuf.h
 master_wakeup.o: ../../include/iostuff.h
 master_wakeup.o: ../../include/attr.h
+master_wakeup.o: ../../include/mail_params.h
 master_wakeup.o: mail_server.h
 master_wakeup.o: master.h
 multi_server.o: multi_server.c

postfix/src/master/master_wakeup.c

@@ -58,10 +58,13 @@
 #include <msg.h>
 #include <trigger.h>
 #include <events.h>
+#include <set_eugid.h>
+#include <set_ugid.h>
 
 /* Global library. */
 
 #include <mail_proto.h>			/* triggers */
+#include <mail_params.h>
 
 /* Application-specific. */
 
@@ -101,8 +104,29 @@ static void master_wakeup_timer_event(int unused_event, char *context)
 	case MASTER_SERV_TYPE_UNIX:
 	    status = LOCAL_TRIGGER(serv->name, &wakeup, sizeof(wakeup), BRIEFLY);
 	    break;
+
+	    /*
+	     * If someone compromises the postfix account then this must not
+	     * overwrite files outside the chroot jail. Countermeasures:
+	     * 
+	     * - Limit the damage by accessing the FIFO as postfix not root.
+	     * 
+	     * - Have fifo_trigger() call safe_open() so we won't follow
+	     * arbitrary hard/symlinks to files in/outside the chroot jail.
+	     * 
+	     * - All non-chroot postfix-related files must be root owned (or
+	     * postfix check complains).
+	     * 
+	     * - The postfix user and group ID must not be shared with other
+	     * applications (says the INSTALL documentation).
+	     * 
+	     * Result of a discussion with Michael Tokarev who claims het got
+	     * his insights from Solar Designer.
+	     */
 	case MASTER_SERV_TYPE_FIFO:
+	    set_eugid(var_owner_uid, var_owner_gid);
 	    status = fifo_trigger(serv->name, &wakeup, sizeof(wakeup), BRIEFLY);
+	    set_ugid(getuid(), getgid());
 	    break;
 	default:
 	    msg_panic("%s: unknown service type: %d", myname, serv->type);

postfix/src/postalias/Makefile.in

@@ -21,10 +21,36 @@ $(PROG): $(OBJS) $(LIBS)
 Makefile: Makefile.in
 	(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs && cat $?) >$@
 
-test:	$(TESTPROG)
-
 update: ../../bin/$(PROG)
 
+test:	test1 test2
+
+test1:	$(PROG) map.in map-abc1.ref map-ghi1.ref map-ABC1.ref
+	./$(PROG) map.in
+	for key in abc ghi; \
+	do \
+	    ./$(PROG) -q $${key} map.in | diff map-$${key}1.ref -; \
+	done
+	./$(PROG) -f map.in
+	for key in ABC; \
+	do \
+	    ./$(PROG) -fq $${key} map.in | diff map-$${key}1.ref -; \
+	done
+	rm -f map.in.db
+
+test2:	$(PROG) map.in map-abc2.ref map-ghi2.ref map-ABC2.ref
+	./$(PROG) map.in
+	for key in abc ghi; \
+	do \
+	    echo $${key} | ./$(PROG) -q - map.in | diff map-$${key}2.ref -; \
+	done
+	./$(PROG) -f map.in
+	for key in ABC; \
+	do \
+	    echo $${key} | ./$(PROG) -fq - map.in | diff map-$${key}2.ref -; \
+	done
+	rm -f map.in.db
+
 ../../bin/$(PROG): $(PROG)
 	cp $(PROG) ../../bin
 

postfix/src/postalias/map-ABC1.ref

@@ -0,0 +1 @@
+DEF

postfix/src/postalias/map-ABC2.ref

@@ -0,0 +1 @@
+ABC:	DEF

postfix/src/postalias/map-abc1.ref

@@ -0,0 +1 @@
+DEF

postfix/src/postalias/map-abc2.ref

@@ -0,0 +1 @@
+abc:	DEF

postfix/src/postalias/map-ghi1.ref

@@ -0,0 +1 @@
+jkl

postfix/src/postalias/map-ghi2.ref

@@ -0,0 +1 @@
+ghi:	jkl

postfix/src/postalias/map.in

@@ -0,0 +1,2 @@
+ABC:	DEF
+ghi:	jkl

postfix/src/postmap/Makefile.in

@@ -21,13 +21,39 @@ $(PROG):	$(OBJS) $(LIBS)
 Makefile: Makefile.in
 	(set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs && cat $?) >$@
 
-test:	$(TESTPROG)
-
 update: ../../bin/$(PROG)
 
 ../../bin/$(PROG): $(PROG)
 	cp $(PROG) ../../bin
 
+test:	test1 test2
+
+test1:	$(PROG) map.in map-abc1.ref map-ghi1.ref map-ABC1.ref
+	./$(PROG) map.in
+	for key in abc ghi; \
+	do \
+	    ./$(PROG) -q $${key} map.in | diff map-$${key}1.ref -; \
+	done
+	./$(PROG) -f map.in
+	for key in ABC; \
+	do \
+	    ./$(PROG) -fq $${key} map.in | diff map-$${key}1.ref -; \
+	done
+	rm -f map.in.db
+
+test2:	$(PROG) map.in map-abc2.ref map-ghi2.ref map-ABC2.ref
+	./$(PROG) map.in
+	for key in abc ghi; \
+	do \
+	    echo $${key} | ./$(PROG) -q - map.in | diff map-$${key}2.ref -; \
+	done
+	./$(PROG) -f map.in
+	for key in ABC; \
+	do \
+	    echo $${key} | ./$(PROG) -fq - map.in | diff map-$${key}2.ref -; \
+	done
+	rm -f map.in.db
+
 printfck: $(OBJS) $(PROG)
 	rm -rf printfck
 	mkdir printfck
@@ -39,7 +65,7 @@ lint:
 	lint $(DEFS) $(SRCS) $(LINTFIX)
 
 clean:
-	rm -f *.o *core $(PROG) $(TESTPROG) junk 
+	rm -f *.o *core $(PROG) $(TESTPROG) junk map.in.db
 	rm -rf printfck
 
 tidy:	clean

postfix/src/postmap/map-ABC1.ref

@@ -0,0 +1 @@
+DEF

postfix/src/postmap/map-ABC2.ref

@@ -0,0 +1 @@
+ABC	DEF

postfix/src/postmap/map-abc1.ref

@@ -0,0 +1 @@
+DEF

postfix/src/postmap/map-abc2.ref

@@ -0,0 +1 @@
+abc	DEF

postfix/src/postmap/map-ghi1.ref

@@ -0,0 +1 @@
+jkl

postfix/src/postmap/map-ghi2.ref

@@ -0,0 +1 @@
+ghi	jkl

postfix/src/postmap/map.in

@@ -0,0 +1,2 @@
+ABC	DEF
+ghi	jkl

postfix/src/sendmail/sendmail.c

@@ -65,6 +65,9 @@
 /* .IP \fB-I\fR
 /*	Initialize alias database. See the \fBnewaliases\fR
 /*	command above.
+/* .IP "\fB-L \fIlabel\fR (ignored)"
+/*	The logging label. Use the \fBsyslog_name\fR configuration
+/*	parameter instead.
 /* .IP "\fB-N \fIdsn\fR (ignored)"
 /*	Delivery status notification control. Currently, Postfix does
 /*	not implement \fBDSN\fR.
@@ -860,7 +863,7 @@ int     main(int argc, char **argv)
 	    optind++;
 	    continue;
 	}
-	if ((c = GETOPT(argc, argv, "B:C:F:GIN:R:UV:X:b:ce:f:h:imno:p:r:q:tvx")) <= 0)
+	if ((c = GETOPT(argc, argv, "B:C:F:GIL:N:R:UV:X:b:ce:f:h:imno:p:r:q:tvx")) <= 0)
 	    break;
 	switch (c) {
 	default:
@@ -869,20 +872,12 @@ int     main(int argc, char **argv)
 	    break;
 	case 'n':
 	    fatal_error(EX_USAGE, "-%c option not supported", c);
-	case 'B':				/* body type */
-	    break;
 	case 'F':				/* full name */
 	    full_name = optarg;
 	    break;
-	case 'G':				/* gateway submission */
-	    break;
 	case 'I':				/* newaliases */
 	    mode = SM_MODE_NEWALIAS;
 	    break;
-	case 'N':				/* DSN */
-	    break;
-	case 'R':				/* DSN */
-	    break;
 	case 'V':				/* VERP */
 	    if (verp_delims_verify(optarg) != 0)
 		fatal_error(EX_USAGE, "-V requires two characters from %s",

postfix/src/util/Makefile.in

@@ -690,6 +690,10 @@ fifo_trigger.o: fifo_trigger.c
 fifo_trigger.o: sys_defs.h
 fifo_trigger.o: msg.h
 fifo_trigger.o: iostuff.h
+fifo_trigger.o: safe_open.h
+fifo_trigger.o: vstream.h
+fifo_trigger.o: vbuf.h
+fifo_trigger.o: vstring.h
 fifo_trigger.o: trigger.h
 file_limit.o: file_limit.c
 file_limit.o: sys_defs.h

postfix/src/util/fifo_trigger.c

@@ -49,6 +49,7 @@
 
 #include <msg.h>
 #include <iostuff.h>
+#include <safe_open.h>
 #include <trigger.h>
 
 /* fifo_trigger - wakeup fifo server */
@@ -56,18 +57,23 @@
 int     fifo_trigger(const char *service, const char *buf, int len, int timeout)
 {
     char   *myname = "fifo_trigger";
+    VSTREAM *fp;
     int     fd;
 
     /*
      * Write the request to the service fifo. According to POSIX, the open
      * shall always return immediately, and shall return an error when no
      * process is reading from the FIFO.
+     * 
+     * Use safe_open() so that we don't follow arbitrary symlinks.
      */
-    if ((fd = open(service, O_WRONLY | O_NONBLOCK, 0)) < 0) {
+    if ((fp = safe_open(service, O_WRONLY | O_NONBLOCK, 0,
+			(struct stat *) 0, -1, -1, (VSTRING *) 0)) == 0) {
 	if (msg_verbose)
 	    msg_info("%s: open %s: %m", myname, service);
 	return (-1);
     }
+    fd = vstream_fileno(fp);
 
     /*
      * Write the request...
@@ -80,7 +86,7 @@ int     fifo_trigger(const char *service, const char *buf, int len, int timeout)
     /*
      * Disconnect.
      */
-    if (close(fd))
+    if (vstream_fclose(fp))
 	if (msg_verbose)
 	    msg_warn("%s: close %s: %m", myname, service);
     return (0);