[Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks

Julian Field MailScanner at ecs.soton.ac.uk
Thu Dec 11 19:59:20 GMT 2008

On 11/12/08 16:43, Kai Schaetzl wrote:
> Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000:
>> Please let me know what you think works and what still doesn't work, if
>> anything.
> So far so good. Got this on first restart:
> Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file ownership
> abilities on
> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, please
> delete the file
> file doesn't exist, though. Directory contains lockfiles for all the
> virusscan wrappers, no matter if in use or not. Is this intended?
> Everything seems to be fine.
> How to test? Run /etc/cron.hourly/update_virus_scanners ?
MailScanner --lint

If it complains about there not being a MailScannerCreateLocks or 
anything in /usr/lib/MailScanner/mailscanner_create_locks or the 
/usr/sbin/mailscanner_create_locks script not existing, please do
ls -ld /usr/sbin/mail* /usr/sbin/Mail*

> I also noticed a somewhat strange behavior of upgrade_MailScanner_conf. It
> mentioned
> Added new: Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif
> although this was already present in MailScanner.conf (from 4.74.4).
It should have said "Added new: Lockfile Dir = 
/var/spool/MailScanner/incoming/Locks" as well. That's to be expected, I 
needed to overwrite people's settings for those two. People never read 
instructions, so it's pointless just asking people to change it.

> One request for mailscanner*.rpm: could you add a check that stops
> creating the /etc/spamassassin/mailscanner.conf symlink in case there's
> already a symlink or file? I tried touching an empty file there, but the
> rpm just wiped it away.
I'll take a look.


Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list