Gentoo Security Bugs on MailScanner
John Wilcock
john at tradoc.fr
Mon Apr 19 12:12:39 IST 2010
Le 16/04/2010 00:32, Kai Schaetzl a écrit :
> Alex Neuman wrote on Thu, 15 Apr 2010 13:13:38 -0500:
>
>> It's all in the page you provide
>
> Not really. Stefan Behte doesn't reveal details. It might be helpful if he
> would ... I don't see why using /tmp is so problematic. I see other stuff
> like the clamd socket there as well. Also, more than half of the code that
> you get displayed with his example is commented out and other parts are
> perhaps out of use either.
/tmp is generally world-writeable, so any unprivileged local user can
create symlinks there pointing at system files or whatever. Processes
that may run with elevated privs creating files in /tmp with
predetermined or predictable filenames is therefore theoretically a bad
idea, as malevolent local users could thereby overwrite important system
files.
For example, any local user could hose a MailScanner box with a simple
ln -s /etc/passwd /tmp/ClamAV.update.log ; just wait until
clamav-autoupdate runs...
Of course, on most mail servers there won't be any unprivileged
interactive local users anyway, so it's pretty much a non-issue.
Still, there aren't many MS files concerned though, only a few of the
antivirus wrapper and autoupdate scripts, and I'm surprised Julian
hasn't fixed them already. I wrote to him offlist recently after a
gentoo admin masked the MailScanner ebuild and threatened to remove it
from the gentoo tree, but have not had a reply.
John.
--
-- Over 4000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages - www.tradoc.fr
More information about the MailScanner
mailing list