Re: -x on Postfix, and a possible fix.

[Tony Shadwick]

> > Right; spamass-milter hasn't had a release in a while (0.3.1 was
> > released in 2006), so versions that I (Debian) and Fedora work on have
> > diverged slightly.

*snip*

So I got the latest sources that ubuntu uses and just took a look.  I 
guess I'm not sure how this is an improvement:

                /* open a pipe to sendmail so we can do address 
expansion */

                char buf[1024];
                char *popen_argv[4];

                popen_argv[0] = SENDMAIL;
                popen_argv[1] = "-bv";
                popen_argv[2] = envrcpt[0];
                popen_argv[3] = NULL;

                debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]);

                p = popenv(popen_argv, "r");
                if (!p)
                {
                        debug(D_RCPT, "popenv failed(%s).  Will not 
expand alia$
                        assassin->expandedrcpt.push_back(envrcpt[0]);
                } else

So instead of just doing popen() based on a specific format, now we're 
specifying what arguments get passed using popenv(), which is passed an 
array.  That's fine, but what changes?

Someone sends me an email with ill intent, say rcpt to: <root+:"|touch 
/tmp/numbskitime">.  With the above, the array looks like this for me:

                popen_argv[0] = "/usr/bin/sendmail";
                popen_argv[1] = "-bv";
                popen_argv[2] = "<root+:\"|touch /tmp/numbskitime\">";
                popen_argv[3] = NULL;

So in effect - the same thing gets executed: /usr/bin/sendmail -bv 
<root+:"|touch /tmp/numbskitime">

Unless you're saying that by doing popenv, those quotes and semicolon 
won't be escaped, therefore it won't get run?  Sorry - I guess my 
understanding of programming from perl, java, and javascript isn't 
carrying over well into C.

For the moment, since my system is postfix and configured properly to 
mitigate this, I am personally not impacted by switching it to use 
postmap -q envrcpt[0] /etc/virtual.  Once I can identify the difference 
and the overall impact to make sure I'm not creating another bug to 
squash, I'll post back a patch that will allow -X.  I guess the only 
question there is whether it's a security vulnerability to allow the 
user to launch by doing "-X /path/to/script" and trusting that the 
script itself is secure in returning a valid local (or otherwise) user 
for spamc to look up?  For me at the moment, the lookups work well, I'm 
killing any pipes or semicolons in my script, but obviously, if someone 
tries to pass it in the envelope recipient, it will attempt to execute 
and postfix will stop it.

As a side note - has anyone looked into this:

http://savannah.nongnu.org/bugs/?29136#comment10

?

Seems like I'm just re-implementing that problem - or was it resolved?

Tony Shadwick