security issue

The file /etc/postfix/virtual (and others) is readable by all users. It contains confidential information though ...

Status: 
Active

Comments

Howdy -- well, some of that information could be determined by looking in /etc/passwd, which is world readable.

However, not all of it.

Jamie, would you forsee any problems in setting that /etc/postfi/virtual so that it's only readable by root, and not the world?

That would hide the list of email addresses that show up in there.

It may break Postfix if this is root-owned. Also, it will prevent Usermin from looking up a user's from: address based on his login name.

Oops, that is a bummer :-)

How about postfix.cert.pem? That is root:root 600 owned and postfix doesn't seem to have an issue.

Of course I don't know the Usermin "stuff" ...

If you don't use usermin on your system (its the webmail interface on port 20000), then the ownership change will probably be OK.

That's true (and I did already). What about a mentioning this in the module help (that all virtual domains settings are readable by all users)?

Why is this a security issue though? The only thing the virtual file contains is the mapping from email addresses to names.

Joe's picture
Submitted by Joe on Tue, 10/28/2014 - 15:02 Pro Licensee

Postfix needs to be able to read the .db files without root privileges. It drops privilege after starting up and grabbing it's ports and such, but it will access the db versions of the map files during run-time (on every mail received or sent, I believe, though I guess it's memory-mapped for performance).

So, changing virtual (and aliases, while we're at it) to 600 might be plausible, the virtual.db and aliases.db files will need to remain world-readable (or be changed in some sort of way to allow the postfix user to read it, maybe by setting group membership differently and making it group readable). While virtual.db is not directly human readable, the postmap command will read it on behalf of users, if they have necessary permissionson virtual.db. i.e. one can type "postmap -s hash:/etc/postfix/virtual" and it'll print out the contents of the map for you, as long as the user running the command has read access.

I never considered the virtual table to be particularly sensitive information. But, I guess it could be considered somewhat useful for spammers, if you had a spammer hosting on your box (even if they weren't sending from your box, if they found a list of email addresses they might consider that a fun thing). Though most email addresses are already on a few thousand spammers email lists, one more isn't going to wreck it.

The aliases table would be another that would provide similar kinds of data (though potentially less of it). I suspect it would have the same problems, and maybe more (since more webmail tools look at aliases) being chmodded to 600.

I don't personally think that email addresses should be considered sensitive - every time you email someone, they can see you address! Also, even if we were able to fix the postfix permissions, the /etc/passwd file could still be read to find all email addresses on the system. And that file certainly can't be made readable only by root, as it would break all commands that need to lookup usernames.

the /etc/passwd file could still be read to find all email addresses on the system

I don't understand that part. Let's say we add a "All Mailboxes" alias to a virtual server with a "personal gmail address". This wouldn't change /etc/passwd, right? But it would add the following entry to the all readable /etc/aliases file

default-domain.net: domain,private@gmail.com

If this problem isn't fixable? Fair enough. But at least a note in the help section would be appropriate. (Something like "notice: all aliases/emails/virtuals added will be visible to all users on the system" or so)

You're right, the forwarding addresses aren't visible in /etc/passwd. But all the local email addresses are.