One or more vulnerabilities in Postfix MTA
The Postfix mail transfer agent (MTA) displays two vulnerabilities – but only under Linux and Solaris. According to Suse, which discovered the errors during a code audit, a user having limited rights could execute commands with root rights and access the mailbox files of other users. In his security advisory, however, Wietse Venema, the developer of Postfix, only discusses the vulnerability that allows access to mailbox files. He furthermore plays down the potential for abuse, saying only that emails can be attached to existing files.
The reported cause of the problems is defective interactions between Solaris and Linux, which deviate from standard behaviour (POSIX, X/Open) when creating symlinks. Instead of following a symlink recursively and then allowing the display of a hardlink to the file found, this creates a hardlink to the symlink itself, reportedly allowing an attacker to hardlink a root-owned symlink to /var/mail, for example, and cause Postfix to append mail to existing files. Venema – see below – gives a precise description of the error, how to test your own server for it, and how to secure the server even without the patch provided.
What all this has to do with commands using root rights is unclear. An answer from Suse is still awaited. Users should follow Venema's instructions or install the packages for their distribution.
- Postfix local privilege escalation via hardlinked symlinks, vulnerability report by Wietse Venema
- SUSE Security Announcement: postfix, advisory from Suse