Glitch in the virus database update scripts
so-mlist-alias at all-about-shift.com
Fri Feb 21 18:37:41 GMT 2003
as I just recently installed my MailScanner and also a couple of virus
scanners I was able to block the whole system with a little mistake I made.
For security reasons I run the complete scanning systems together with the
MTA (exim) under the user "mail". I also chowned the /opt/MailScanner and
virus scanning stuff to "mail:mail" (yes, I'm running a debian box *g*).
Right after installation I performed a sophos-update for the virus database.
I later installed the update in the crontab of user __mail__. THIS was a
problem, because I did the first update as user root and the other ones as
user mail; but he was not able to get the lockfile because this is owned by
root and chmod'ed 644. The problem starts when an arbitrarly user creates a
lock file for one of the update-scripts and chmods it to 600, he can easily
blow the whole update stuff without really doing anything "bad" because the
locks simply are set in the /tmp directory which normally is
world-writeable on most OSes.
Although no other users resides on the mail servers I care for I recommend
to change the lock files to another place. For my boxes I created a
/var/run/MailScanner directory and changed all scripts which I needed to
use this directory. As I changed it to mail:mail with 700 grants it's now
not possible to lock the updates for another user.
Another directory could be /opt/MailScanner/locks or so.
Diese Nachricht wurde auf Viren und andere gefaehrliche Inhalte untersucht
More information about the MailScanner