[Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks

Glenn Steen glenn.steen at gmail.com
Wed Dec 10 19:16:45 GMT 2008

2008/12/10 Julian Field <MailScanner at ecs.soton.ac.uk>:
> My current plan is to use a /var/spool/MailScanner/incoming/tmp directory
> which is owned by the "Run As User" and "Run As Group" and only accessible
> by drwx------ so that MailScanner can write to it and root can as well. This
> is already half-implemented as there is a "Lockfile Dir" setting in
> MailScanner.conf. I just need to pass that on the command-line of the
> -autoupdate scripts so they know where to expect and put their lockfiles
> (all the current ones assume Lockfile Dir = /tmp).
> After that there's just a few places in TNEF.pm, SA.pm and the "MailScanner
> --lint" code which also need to use the Lockfile Dir directory instead of
> /tmp.
> Any reason why this wouldn't work? I can implement all this in about an
> hour's work.
> Jules
Sounds perfect to me.

-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list