DevHeads.net

Dot forward not reading links

Hi,

I've been wondering why my .forward files didn't worked like I
expected and finally I found out dotforward doesn't accept linked
files. Is there any reason why dotforward doesn't read links? In
src/local/dotforward.c (line232 of the latest debian version) I wanted
to change

if (S_ISREG(st.st_mode) == 0) {

to

if ((S_ISREG(st.st_mode) == 0) && (S_ISLNK(st.st_mode) == 0)) {

and I was wondering why it didn't be that way already.

Regards,

wimpunk.

Comments

Re: Dot forward not reading links

By Wietse Venema at 11/30/2012 - 18:10

What if the symlink points to /dev/zero or /dev/random?

Wietse

Re: Dot forward not reading links

By wimpunk at 11/30/2012 - 18:33

On Fri, Nov 30, 2012 at 11:10 PM, Wietse Venema < ... at porcupine dot org> wrote:
It would fail because the file would be world writable.

wimpunk.

Re: Dot forward not reading links

By Wietse Venema at 11/30/2012 - 18:41

Right, and your point is that all malicious symlinks under all
user's home directories will always resolve to a world-writable
file, so I should not have to worry about such things.

Wietse

Re: Dot forward not reading links

By wimpunk at 12/01/2012 - 04:51

On Fri, Nov 30, 2012 at 11:41 PM, Wietse Venema < ... at porcupine dot org> wrote:
No, my point is that if it would point to /dev/zero or /dev/random, it
would fail because the file is world writable.

If you want to check on malicious links, postfix could verify if the
link it points to is a file with the correct features.
I believe there is no need for such check. If you're afraid of
malicious files, you better just disable the userforward feature.
People could write their own malicious files. There is actually not
that much difference between doing a cp or doing a ln, or at least not
from my point of view. I'm pretty much interested in what you
consider as a malicious file and why it should be considered as a much
bigger risk than using the normal dotforward files.

The reason I searched for this is because I just wanted to make my own
management easier. I had a .forward+a file which filtered the mail to
a specific folder in my mailbox. Because I wanted the mail send to
${user}+b and ${user}+c handled the same way, I created a link named
.forward+b and .forward+c which pointed to .forward+a but as we know,
it didn't worked.

Regards,

wimpunk.

Re: Dot forward not reading links

By dev rob0 at 12/01/2012 - 12:49

On Sat, Dec 01, 2012 at 09:51:05AM +0100, wimpunk wrote:
Hard links work fine.

Re: Dot forward not reading links

By wimpunk at 12/04/2012 - 16:28

On Sat, Dec 1, 2012 at 5:49 PM, /dev/rob0 < ... at gmx dot co.uk> wrote:
Sorry for the late reply but it sounds like a good plan. :-) Tnx!

wimpunk.

Re: Dot forward not reading links

By Wietse Venema at 12/01/2012 - 09:52

The .forward file is a "program" that can execute arbitrary shell
commands and that can write to arbitrary files, with the privileges
of the recipient (which may be "root"). All this makes .forward a
sensitive file.

Common-sense measures to protect a sensitive file are:

- Keeping the file within a directory that is writable only by the
recipient or by the system adminstrator.

- Using a "hidden" name in the user's home directory, such that the
file isn't easily destroyed by mistake.

If you want Postfix to look for .forward files in other locations,
then you can edit the forward_path parameter setting. The default
is to look under the home directory.

forward_path = $home/.forward${recipient_delimiter}${extension},
$home/.forward

Here is an example with per-user files under /var/forward:

forward_path = /var/forward/$user

Of course you can mix the two models.

Wietse

Re: Dot forward not reading links

By wimpunk at 12/04/2012 - 16:27

On Sat, Dec 1, 2012 at 2:52 PM, Wietse Venema < ... at porcupine dot org> wrote:
Thanks for the feedback but still I don't get the point why it would
make any difference between using a link or a file as .forward. That
link could only be written by the sysadmin or me. The only thing you
have to trust is having users with a little common sense. But you
also need it if you want to use user defined .forward files.

wimpunk.

Re: Dot forward not reading links

By Wietse Venema at 12/04/2012 - 16:38

HARDlinks are OK, SYMlinks are not. I can't let your PC mentality
dictate Postfix's security policies.

Wietse