[Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks

Julian Field MailScanner at ecs.soton.ac.uk
Thu Dec 11 20:28:43 GMT 2008 

I have just released 4.74.6-2 which is exactly the same code as -1 but 
there shouldn't be any doubt about filesizes now.
Please upgrade to this one and try it again.

On 11/12/08 19:59, Julian Field wrote:
>
>
> On 11/12/08 16:43, Kai Schaetzl wrote:
>> Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000:
>>
>>> Please let me know what you think works and what still doesn't work, if
>>> anything.
>>
>> So far so good. Got this on first restart:
>>
>> Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file ownership
>> abilities on
>> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, 
>> please
>> delete the file
>>
>> file doesn't exist, though. Directory contains lockfiles for all the
>> virusscan wrappers, no matter if in use or not. Is this intended?
>>
>> Everything seems to be fine.
>> How to test? Run /etc/cron.hourly/update_virus_scanners ?
> Do
> MailScanner --lint
> and
> /usr/sbin/update_virus_scanners
>
> If it complains about there not being a MailScannerCreateLocks or 
> anything in /usr/lib/MailScanner/mailscanner_create_locks or the 
> /usr/sbin/mailscanner_create_locks script not existing, please do
> ls -ld /usr/sbin/mail* /usr/sbin/Mail*
>
>
>>
>> I also noticed a somewhat strange behavior of 
>> upgrade_MailScanner_conf. It
>> mentioned
>> Added new: Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif
>> although this was already present in MailScanner.conf (from 4.74.4).
> It should have said "Added new: Lockfile Dir = 
> /var/spool/MailScanner/incoming/Locks" as well. That's to be expected, 
> I needed to overwrite people's settings for those two. People never 
> read instructions, so it's pointless just asking people to change it.
>
>> One request for mailscanner*.rpm: could you add a check that stops
>> creating the /etc/spamassassin/mailscanner.conf symlink in case there's
>> already a symlink or file? I tried touching an empty file there, but the
>> rpm just wiped it away.
> I'll take a look.
>
> Jules
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list