Gentoo Security Bugs on MailScanner

John Wilcock john at tradoc.fr
Mon Apr 19 12:12:39 IST 2010


Le 16/04/2010 00:32, Kai Schaetzl a écrit :
> Alex Neuman wrote on Thu, 15 Apr 2010 13:13:38 -0500:
>
>> It's all in the page you provide
>
> Not really. Stefan Behte doesn't reveal details. It might be helpful if he
> would ... I don't see why using /tmp is so problematic. I see other stuff
> like the clamd socket there as well. Also, more than half of the code that
> you get displayed with his example is commented out and other parts are
> perhaps out of use either.

/tmp is generally world-writeable, so any unprivileged local user can 
create symlinks there pointing at system files or whatever. Processes 
that may run with elevated privs creating files in /tmp with 
predetermined or predictable filenames is therefore theoretically a bad 
idea, as malevolent local users could thereby overwrite important system 
files.

For example, any local user could hose a MailScanner box with a simple 
ln -s /etc/passwd /tmp/ClamAV.update.log ; just wait until 
clamav-autoupdate runs...

Of course, on most mail servers there won't be any unprivileged 
interactive local users anyway, so it's pretty much a non-issue.

Still, there aren't many MS files concerned though, only a few of the 
antivirus wrapper and autoupdate scripts, and I'm surprised Julian 
hasn't fixed them already. I wrote to him offlist recently after a 
gentoo admin masked the MailScanner ebuild and threatened to remove it 
from the gentoo tree, but have not had a reply.

John.

-- 
-- Over 4000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr


More information about the MailScanner mailing list