Curious startup warning

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Curious startup warning

James Moe
postfix v3.2.0
linux v4.4.103-36-default x86_64

  Whenever postfix (re-)starts, the message below is emitted.
Jan 12 13:59:28 sma-server3 postfix/postfix-script[32024]: warning:
group or other writable: /etc/postfix/./ssl/cacerts
Jan 12 13:59:28 sma-server3 postfix/postfix-script[32040]: starting the
Postfix mail system

  Following the various paths yields the following directory listings:

$ ls -l .
drwxr-xr-x 1 root root 24 Nov  4 13:04 ssl/
$ ls -l ssl/
lrwxrwxrwx 1 root root 15 Nov  4 13:04 cacerts -> ../../ssl/certs/
drwxr-xr-x 1 root root  0 May 17  2017 certs/
$ ls -l /etc/
drwxr-xr-x 1 root root 146 Dec 15 02:29 ssl/
$ ls -l /etc/ssl/
lrwxrwxrwx 1 root root  28 Nov  4 12:49 certs ->
/var/lib/ca-certificates/pem/
$ ls -l /
drwxr-xr-x 1 root root       234 Nov  4 13:04 var/
$ ls -l /var/
drwxr-xr-x 1 root root 1090 Jan  9 10:40 lib/
$ ls -l /var/lib/
drwxr-xr-x 1 root root  70 Nov 13 03:05 ca-certificates/
$ ls -l /var/lib/ca-certificates/
dr-xr-xr-x 1 root root  17324 Nov 13 03:05 pem/

  Any real directories are not group/other writable. Only the links have
the writable attributes.
  Are the links what triggers the warning message?

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.


signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Curious startup warning

Bill Cole-3
On 12 Jan 2018, at 16:51 (-0500), James Moe wrote:

> postfix v3.2.0
> linux v4.4.103-36-default x86_64
>
>   Whenever postfix (re-)starts, the message below is emitted.
> Jan 12 13:59:28 sma-server3 postfix/postfix-script[32024]: warning:
> group or other writable: /etc/postfix/./ssl/cacerts
> Jan 12 13:59:28 sma-server3 postfix/postfix-script[32040]: starting
> the
> Postfix mail system
>
>   Following the various paths yields the following directory listings:
>
> $ ls -l .
> drwxr-xr-x 1 root root 24 Nov  4 13:04 ssl/
> $ ls -l ssl/
> lrwxrwxrwx 1 root root 15 Nov  4 13:04 cacerts -> ../../ssl/certs/
> drwxr-xr-x 1 root root  0 May 17  2017 certs/
> $ ls -l /etc/
> drwxr-xr-x 1 root root 146 Dec 15 02:29 ssl/
> $ ls -l /etc/ssl/
> lrwxrwxrwx 1 root root  28 Nov  4 12:49 certs ->
> /var/lib/ca-certificates/pem/
> $ ls -l /
> drwxr-xr-x 1 root root       234 Nov  4 13:04 var/
> $ ls -l /var/
> drwxr-xr-x 1 root root 1090 Jan  9 10:40 lib/
> $ ls -l /var/lib/
> drwxr-xr-x 1 root root  70 Nov 13 03:05 ca-certificates/
> $ ls -l /var/lib/ca-certificates/
> dr-xr-xr-x 1 root root  17324 Nov 13 03:05 pem/
>
>   Any real directories are not group/other writable. Only the links
> have
> the writable attributes.
>   Are the links what triggers the warning message?

Maybe...

What are the permissions of the directory /etc/postfix/ssl/ ? Note that
if any directory above the symlink or the real directory is
group-writable (or less likely and worse: world-writable) then it is
conceivable that a non-root member of the group could engineer a
replacement for the target directory.

OTOH, it is possible that Postfix is seeing the 777 permissions of the
symlink itself and griping about that. You can solve that with 'chmod
go-w /etc/postfix/./ssl/cacerts'

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Curious startup warning

Wietse Venema
In reply to this post by James Moe
James Moe:

Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.

> postfix v3.2.0
> linux v4.4.103-36-default x86_64
>
>   Whenever postfix (re-)starts, the message below is emitted.
> Jan 12 13:59:28 sma-server3 postfix/postfix-script[32024]: warning:
> group or other writable: /etc/postfix/./ssl/cacerts
> Jan 12 13:59:28 sma-server3 postfix/postfix-script[32040]: starting the
> Postfix mail system
>
>   Following the various paths yields the following directory listings:
>
> $ ls -l .
> drwxr-xr-x 1 root root 24 Nov  4 13:04 ssl/
> $ ls -l ssl/
> lrwxrwxrwx 1 root root 15 Nov  4 13:04 cacerts -> ../../ssl/certs/

The above is not needed, if you configure Postfix to read the system
SSL certificate database with "tls_append_default_CA = yes". Not a
good idea if you use certificates to allow relaying!

Symlinks from /etc/postfix or other Postfix directories are not
supported, because it is hard to verify the target of a symlink and
all its parent directories are secure, at least in a shell script
that has to run on more than one OS type.

[I suppose one could add a Postfix dependency on perl and do some
more sophisticated analyses. Basically all the directories traversed
must be secure as in:

- All directories traversed while resolving a pathname under
/etc/postfix including any directories traversed while resolving a
symlink target must be writable only by root. And of course so must
be the file that we eventually arrive at.

- Similar logic for /var/lib/postfix, except that files/directories
must be writable only by postfix (Postfix never writes to such files
as root).

- The rules for /var/spool/postfix are more complex because some
directories must be writable only by root and others only by postfix.

A potential complication with symlinks is that they may create a
loop, so a Postfix checker would have to be robust against that.
If the postfix user becomes compromised, then a malicious symlink
from /var/spool/postfix should not result in damage to the host.]

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Curious startup warning

James Moe
On 01/12/2018 06:27 PM, Wietse Venema wrote:
>
>> $ ls -l ssl/
>> lrwxrwxrwx 1 root root 15 Nov  4 13:04 cacerts -> ../../ssl/certs/
> The above is not needed, if you configure Postfix to read the system
> SSL certificate database with "tls_append_default_CA = yes". Not a
> good idea if you use certificates to allow relaying!
>
  "tls_append_default_CA = no" in our configuration.
  I am not clear which item is not a good idea: the symlink, or
"tls_append_default_CA = yes."
  Besides the symlink in the postfix configuration, there is another one
in the path to the certificates. If I changed the one symlink in
postfix, would it still warn about the other symlink?

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.




signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Curious startup warning

Viktor Dukhovni


> On Jan 16, 2018, at 12:35 PM, James Moe <[hidden email]> wrote:
>
>>> $ ls -l ssl/
>>> lrwxrwxrwx 1 root root 15 Nov  4 13:04 cacerts -> ../../ssl/certs/
>> The above is not needed, if you configure Postfix to read the system
>> SSL certificate database with "tls_append_default_CA = yes". Not a
>> good idea if you use certificates to allow relaying!
>>
>  "tls_append_default_CA = no" in our configuration.
>  I am not clear which item is not a good idea: the symlink, or
> "tls_append_default_CA = yes."

Mainly the latter.

> Besides the symlink in the postfix configuration, there is another one
> in the path to the certificates. If I changed the one symlink in
> postfix, would it still warn about the other symlink?

Any symlink in the Postfix configuration directory will raise the
warning.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Curious startup warning

Wietse Venema
In reply to this post by James Moe
James Moe:

Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.

> On 01/12/2018 06:27 PM, Wietse Venema wrote:
> >
> >> $ ls -l ssl/
> >> lrwxrwxrwx 1 root root 15 Nov  4 13:04 cacerts -> ../../ssl/certs/
> > The above is not needed, if you configure Postfix to read the system
> > SSL certificate database with "tls_append_default_CA = yes". Not a
> > good idea if you use certificates to allow relaying!
> >
>   "tls_append_default_CA = no" in our configuration.
>   I am not clear which item is not a good idea: the symlink, or
> "tls_append_default_CA = yes."

With cacerts -> ../../ssl/certs/, you may just as well delete the
symlink and set "tls_append_default_CA = yes", because the result
will be the same.

        Wietse