[Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks

Julian Field MailScanner at ecs.soton.ac.uk
Wed Dec 10 17:21:19 GMT 2008

My current plan is to use a /var/spool/MailScanner/incoming/tmp 
directory which is owned by the "Run As User" and "Run As Group" and 
only accessible by drwx------ so that MailScanner can write to it and 
root can as well. This is already half-implemented as there is a 
"Lockfile Dir" setting in MailScanner.conf. I just need to pass that on 
the command-line of the -autoupdate scripts so they know where to expect 
and put their lockfiles (all the current ones assume Lockfile Dir = /tmp).

After that there's just a few places in TNEF.pm, SA.pm and the 
"MailScanner --lint" code which also need to use the Lockfile Dir 
directory instead of /tmp.

Any reason why this wouldn't work? I can implement all this in about an 
hour's work.


Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list