20170125
- Cleanup: mail_addr_find test scripting. Allow all tests to
- run in one process, without main.cf dependencies. Files:
- global/mail_addr_find.*
+ Cleanup: mail_addr_find test scripting. Eliminate main.cf
+ dependencies, and allow all tests to run in one process.
+ Files: global/mail_addr_find.*
20170127
Cleanup: smtp_generic_maps implementation. Reduced the
number of internal<->external form address conversions,
- added more rigorous tests, and removed main.cf and
+ added more rigorous tests, and eliminated the main.cf and
trivial-rewrite dependencies. Files: smtp_map11.*.
+
+20170129
+
+ Cleanup: environment settings for root and non-root users
+ in set-gid programs. File: postqueue/postqueue.c (enforce
+ import_environment name=value overrides for root users),
+ util/msg_syslog_init.c (don't override non-existent TZ
+ settings), util/unsafe.c (exclude root from privilege
+ escalation concerns).
Disable -DSNAPSHOT and -DNONPROD in makedefs.
- Enable external-form lookups for smtpd access maps.
-
Convert postalias(1) to store external-form keys, and convert
aliases(5) to perform external-first lookup with fallback to
internal form, to make it consistent with the rest of Postfix.
In the bounce daemon, set util_utf8_enable if returning an
SMTPUTF8 message.
- Why does postqueue show UTC time, even if TZ is set in
- the import_environment setting? Because postqueue is set-gid?
-
Add a header_body_checks extension callback in smtp_proto.c
that implements the PASS action.
<b><a href="postconf.5.html#alternate_config_directories">alternate_config_directories</a> (empty)</b>
A list of non-default Postfix configuration directories that may
- be specified with "-c <a href="postconf.5.html#config_directory">config_directory</a>" on the command line, or
- via the MAIL_CONFIG environment parameter.
+ be specified with "-c <a href="postconf.5.html#config_directory">config_directory</a>" on the command line (in
+ the case of <a href="sendmail.1.html"><b>sendmail</b>(1)</a>, with "-C <a href="postconf.5.html#config_directory">config_directory</a>"), or via the
+ MAIL_CONFIG environment parameter.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
tion logfiles with mail that is queued to those destinations.
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a Postfix process will
+ The list of environment parameters that a Postfix process will
import from a non-Postfix parent process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- A prefix that is prepended to the process name in syslog
+ A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
<b><a href="postconf.5.html#trigger_timeout">trigger_timeout</a> (10s)</b>
- The time limit for sending a trigger to a Postfix daemon (for
+ The time limit for sending a trigger to a Postfix daemon (for
example, the <a href="pickup.8.html"><b>pickup</b>(8)</a> or <a href="qmgr.8.html"><b>qmgr</b>(8)</a> daemon).
Available in Postfix version 2.2 and later:
\fBpostconf\fR(5) for more details including examples.
.IP "\fBalternate_config_directories (empty)\fR"
A list of non\-default Postfix configuration directories that may
-be specified with "\-c config_directory" on the command line, or
-via the MAIL_CONFIG environment parameter.
+be specified with "\-c config_directory" on the command line (in the
+case of \fBsendmail\fR(1), with "\-C config_directory"), or via the MAIL_CONFIG
+environment parameter.
.IP "\fBconfig_directory (see 'postconf -d' output)\fR"
The default location of the Postfix main.cf and master.cf
configuration files.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20170128"
+#define MAIL_RELEASE_DATE "20170129"
#define MAIL_VERSION_NUMBER "3.2"
#ifdef SNAPSHOT
/* \fBpostconf\fR(5) for more details including examples.
/* .IP "\fBalternate_config_directories (empty)\fR"
/* A list of non-default Postfix configuration directories that may
-/* be specified with "-c config_directory" on the command line, or
-/* via the MAIL_CONFIG environment parameter.
+/* be specified with "-c config_directory" on the command line (in the
+/* case of \fBsendmail\fR(1), with "-C config_directory"), or via the MAIL_CONFIG
+/* environment parameter.
/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
/* The default location of the Postfix main.cf and master.cf
/* configuration files.
/*
* This program is designed to be set-gid, which makes it a potential
- * target for attack. If not running as root, strip the environment so we
- * don't have to trust the C library. If running as root, don't strip the
- * environment so that showq can receive non-default configuration
- * directory info when the mail system is down.
+ * target for attack. Strip and optionally override the process
+ * environment so that we don't have to trust the C library.
*/
- if (geteuid() != 0) {
- import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
- clean_env(import_env->argv);
- argv_free(import_env);
- }
+ import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
+ clean_env(import_env->argv);
+ argv_free(import_env);
+
if (chdir(var_queue_dir))
msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
VSTRING *canon_addr_external(VSTRING *result, const char *addr)
{
+ char *at;
+
vstring_strcpy(result, addr);
- if (strchr(addr, '@') == 0)
+ if ((at = strrchr(addr, '@')) == 0
+ || (at + 1)[strcspn(at + 1, "\"\\")] != 0)
vstring_sprintf_append(result, "@%s", var_myorigin);
return (result);
}
if (mystrtok(&bp, ":") != 0)
msg_fatal("garbage after result field");
+ /*
+ * Perform the mapping.
+ */
if (strcmp(cmd, "external") == 0) {
vstring_strcpy(addr_buf, addr_field);
have_result = smtp_map11_external(addr_buf, maps, 1);
TOK822 **addr_list;
TOK822 **tpp;
- /*
- * Parse the input and expectations.
- */
tree = tok822_parse(addr_field);
addr_list = tok822_grep(tree, TOK822_ADDR);
for (tpp = addr_list; *tpp; tpp++)
void msg_syslog_init(const char *name, int logopt, int facility)
{
static int first_call = 1;
+ extern char **environ;
/*
* XXX If this program is set-gid, then TZ must not be trusted. This
* scrubbing code is in the wrong place.
*/
if (unsafe())
- putenv("TZ=UTC");
+ while (getenv("TZ")) /* There may be multiple. */
+ if (unsetenv("TZ") < 0) { /* Desperate measures. */
+ environ[0] = 0;
+ msg_fatal("unsetenv: %m");
+ }
tzset();
openlog(name, LOG_NDELAY | logopt, facility);
if (first_call) {
/* On UNIX systems, the result is true when any of the following
/* conditions is true:
/* .IP \(bu
+/* The real UID is non-zero.
+/* .IP \(bu
+/* The effective UID is non-zero.
+/* .PP
+/* Additionally, any of the following conditions must be true:
+/* .IP \(bu
/* The issetuid kernel flag is non-zero (on systems that support
/* this concept).
/* .IP \(bu
/* The real and effective user id differ.
/* .IP \(bu
/* The real and effective group id differ.
+/* .PP
+/* Thus, when a process runs as the super-user, it is excluded
+/* from privilege-escalation concerns, but only if both real
+/* UID and effective UID are zero.
/* LICENSE
/* .ad
/* .fi
int unsafe(void)
{
- return (geteuid() != getuid()
+ return ((getuid() || geteuid())
+ && (geteuid() != getuid()
#ifdef HAS_ISSETUGID
- || issetugid()
+ || issetugid()
#endif
- || getgid() != getegid());
+ || getgid() != getegid()));
}
projects / thirdparty / postfix.git / commitdiff
