Glitch in the virus database update scripts

[Soeren Gerlach]

Hi,
as I just recently installed my MailScanner and also a couple of virus 
scanners I was able to block the whole system with a little mistake I made. 
For security reasons I run the complete scanning systems together with the 
MTA (exim) under the user "mail". I also chowned the /opt/MailScanner and 
virus scanning stuff to "mail:mail" (yes, I'm running a debian box *g*).
Right after installation I performed a sophos-update for the virus database. 
I later installed the update in the crontab of user __mail__. THIS was a 
problem, because I did the first update as user root and the other ones as 
user mail; but he was not able to get the lockfile because this is owned by 
root and chmod'ed 644. The problem starts when an arbitrarly user creates a 
lock file for one of the update-scripts and chmods it to 600, he can easily 
blow the whole update stuff without really doing anything "bad" because the 
locks simply are set in the /tmp directory which normally is 
world-writeable on most OSes.
Although no other users resides on the mail servers I care for I recommend 
to change the lock files to another place. For my boxes I created a 
/var/run/MailScanner directory and changed all scripts which I needed to 
use this directory. As I changed it to mail:mail with 700 grants it's now 
not possible to lock the updates for another user.
Another directory could be /opt/MailScanner/locks or so.


best regards,
soeren gerlach


-- 
Diese Nachricht wurde auf Viren und andere gefaehrliche Inhalte untersucht