Date: Sun, 13 Sep 2015 11:22:24 +0200 From: "Klaus T. Aehlig" <aehlig@linta.de> To: jvarner@gmail.com Cc: ctm-users@freebsd.org, Peter Wemm <peter@wemm.org> Subject: Re: Future of CTM Message-ID: <20150913092224.GC3041@howard.linta.de> In-Reply-To: <201509051839.t85IdmIJ047044@eden.local> References: <2133149.u1BgRHIO00@overcee.wemm.org> <201509051839.t85IdmIJ047044@eden.local>
next in thread | previous in thread | raw e-mail | index | archive | help
--YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > { > > :0 c: ${MAILDIR}/ctm-ports.${LOCKEXT} > | rcvstore +ctm-ports -nounseen > > :0 c > | gpg --no-default-keyring --keyring ${PMDIR}/ctm.key --verify > > :0 a > | ctm_rmail -p ${HOME}/ctms/ports/pieces -d ${HOME}/ctms/ports/deltas -l ${PMDIR}/ctm.log > } If I read your example correctly (I'm not familiar with procmail), you're only verifying that there is a part with a good signature by the right key but you pass on the whole mail. Isn't this vulnerable to someone taking a well-signed mail (e.g., one of those saying the delta is too big and should be received via ftp) and appending a non-signed clear-text malicious ctm delta? To avoid those kind of attacks I only take the "decrypted" contents of the mail and verify the status fd to check that the mail only contains the parts I expect (one block followed by a good signature with the correct key and nothing else following). The script is attached (all the mentioned directories under /usr/ctm can only be written to by the uucp user). Note, however, that my set-up is slightly different, as I forward the ctm mails from my mail server to my FreeBSD machines via uucp. Regards, Klaus --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=uucp-ctm-rmail-svn #!/usr/local/bin/perl -w umask 0022; my $name = `date +%Y-%m-%d-%H:%M:%S`; chomp($name); $name .= "-$$"; open(DROP,">","/usr/ctm/incomming/$name") or die "Failed to open $name in dropdir ($!)\n"; while(<STDIN>) { print DROP $_; } close(DROP) or die "Failed to close $name in dropdir ($!)\n"; ## Check signatures my $dropname = "/usr/ctm/incomming/$name"; my $plainname = "/usr/ctm/sigs/" . $name . "-plain"; my $logname = "/usr/ctm/sigs/" . $name . "-log"; my $statusname = "/usr/ctm/sigs/" . $name . "-status"; my $keyring = "/root/uucpkeyring"; system "gpg --no-default-keyring --keyring \Q$keyring\E --status-fd 3 -d < \Q$dropname\E > \Q$plainname\E 2> \Q$logname\E 3> \Q$statusname\E"; ## Interpret signature check open(STATUS,"<",$statusname); $line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] PLAINTEXT 74 0/ or exit 0; $line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] NEWSIG/ or exit 0; $line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] SIG_ID/ or exit 0; $line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] GOODSIG D047A1D765FE4840/ or exit 0; $line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] VALIDSIG 57C2E2F809F114312EB326F9D047A1D765FE4840/ or exit 0; $line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] TRUST/ or exit 0; $line = <STATUS>; ! $line or exit 0; close(STATUS); ## if reached here, signature is good and we can trust $plainname my $goodname = "/usr/ctm/goodmails/" . $name; rename $plainname, $goodname; exit 0; --YiEDa0DAkWCtVeE4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150913092224.GC3041>