iRedMail icon indicating copy to clipboard operation
iRedMail copied to clipboard

Published 20 hours ago verified publisher icon iredmail

Suggestion. scripts - file permissions

Open m6a4 opened this issue 2 years ago • 1 comments

REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER:

  • iRedMail version (check /etc/iredmail-release): 1.5.2
  • Deployed with iRedMail Easy or the downloadable installer? downloadable inst.
  • Linux/BSD distribution name and version: Debian 10
  • Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
  • Web server (Apache or Nginx): NginX
  • Manage mail accounts with iRedAdmin-Pro? no
  • [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

Hi,

there are several scripts executed by root via cron. The scripts themselves are owned by normal users: e.g. in: opt/www/iredadmin/tools:

  • cleanup-amavisd_db.py
  • cleanup_db.py
  • delete_mailboxes.py

are owned by iredadmin

This setting can be used for privilege escalation to root for this user. Setting the shell to nologin doesn’t mitigate this completely.

Suggestion: set the file owner for the scripts in root’s crontab to root:root, remove ability to be written by user/world for them.

Sincerely,

Michael

m6a4 avatar Sep 07 '22 14:09 m6a4

Suggestion accepted. Will change this soon.

cleanup_amavisd_db.py and cleanup_db.py could be moved to "iredadmin" user's cron job since they are pure sql operations, but delete_mailboxes.py must be ran as root (or "vmail") user since it requires the privilege to remove files under /var/vmail/vmail1.

iredmail avatar Sep 08 '22 00:09 iredmail