[Simon Walter] Bug#506353: mailscanner: many scripts allow
local users to overwrite arbitrary files, and more,
via symlink attacks
Mark Sapiro
mark at msapiro.net
Thu Dec 11 21:05:09 GMT 2008
Julian Field wrote:
>
>On 11/12/08 16:43, Kai Schaetzl wrote:
>> Julian Field wrote on Thu, 11 Dec 2008 14:16:06 +0000:
>>
>>
>>> Please let me know what you think works and what still doesn't work, if
>>> anything.
>>>
>>
>> So far so good. Got this on first restart:
>>
>> Dec 11 17:31:10 d01 MailScanner[11441]: Could not test file ownership
>> abilities on
>> /var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.11441, please
>> delete the file
>>
>> file doesn't exist, though. Directory contains lockfiles for all the
>> virusscan wrappers, no matter if in use or not. Is this intended?
>>
>> Everything seems to be fine.
>> How to test? Run /etc/cron.hourly/update_virus_scanners ?
>>
>Do
>MailScanner --lint
>and
>/usr/sbin/update_virus_scanners
>
>If it complains about there not being a MailScannerCreateLocks or
>anything in /usr/lib/MailScanner/mailscanner_create_locks or the
>/usr/sbin/mailscanner_create_locks script not existing, please do
>ls -ld /usr/sbin/mail* /usr/sbin/Mail*
MailScanner --lint looks good.
/usr/sbin/update_virus_scanners produces no error.
Everything seems to be working normally, but each time a child starts,
a message like the following is logged:
Dec 11 11:24:07 sbh16 MailScanner[23654]: Could not test file ownership
abilities on
/var/spool/MailScanner/incoming/Locks/MailScanner.ownertest.23654,
please delete the file
and no such file exists after the fact:
[root at sbh16 ~]# ls -l /var/spool/MailScanner/incoming/Locks/
total 4
-rw------- 1 postfix postfix 0 Dec 11 09:18 antivirBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 avastBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 avgBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 bitdefenderBusy.lock
-rw------- 1 postfix postfix 49 Dec 11 12:28 clamavBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 cssBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 esetsBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 etrustBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 f-prot-6Busy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 f-protBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 f-secureBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 genericBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 inoculanBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 kasperskyBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 mcafeeBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 nod32Busy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 normanBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 pandaBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 ravBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 sophosBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 symscanengineBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 trendBusy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 vba32Busy.lock
-rw------- 1 postfix postfix 0 Dec 11 09:18 vexiraBusy.lock
[root at sbh16 ~]# cat
/var/spool/MailScanner/incoming/Locks/clamavBusy.lock
Virus checker locked for scanning by clamd 23654
[root at sbh16 ~]#
Is the above log message significant?
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list