From owner-ctm-users@freebsd.org Sun Sep 13 09:29:26 2015 Return-Path: Delivered-To: ctm-users@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08031A03174 for ; Sun, 13 Sep 2015 09:29:26 +0000 (UTC) (envelope-from aehlig@linta.de) Received: from linta.de (isilmar-3.linta.de [188.40.101.200]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6C86A1284 for ; Sun, 13 Sep 2015 09:29:24 +0000 (UTC) (envelope-from aehlig@linta.de) Received: (qmail 25076 invoked by uid 10); 13 Sep 2015 09:22:40 -0000 Received: from howard.linta.de by isilmar.linta.de with BSMTP; 13 Sep 2015 09:22:40 -0000 Received: by howard.linta.de (Postfix, from userid 1001) id 8BEFDCDBC04; Sun, 13 Sep 2015 11:22:24 +0200 (CEST) Date: Sun, 13 Sep 2015 11:22:24 +0200 From: "Klaus T. Aehlig" To: jvarner@gmail.com Cc: ctm-users@freebsd.org, Peter Wemm Subject: Re: Future of CTM Message-ID: <20150913092224.GC3041@howard.linta.de> References: <2133149.u1BgRHIO00@overcee.wemm.org> <201509051839.t85IdmIJ047044@eden.local> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="YiEDa0DAkWCtVeE4" Content-Disposition: inline In-Reply-To: <201509051839.t85IdmIJ047044@eden.local> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: ctm-users@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: CTM User discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Sep 2015 09:29:26 -0000 --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > { > > :0 c: ${MAILDIR}/ctm-ports.${LOCKEXT} > | rcvstore +ctm-ports -nounseen > > :0 c > | gpg --no-default-keyring --keyring ${PMDIR}/ctm.key --verify > > :0 a > | ctm_rmail -p ${HOME}/ctms/ports/pieces -d ${HOME}/ctms/ports/deltas -l ${PMDIR}/ctm.log > } If I read your example correctly (I'm not familiar with procmail), you're only verifying that there is a part with a good signature by the right key but you pass on the whole mail. Isn't this vulnerable to someone taking a well-signed mail (e.g., one of those saying the delta is too big and should be received via ftp) and appending a non-signed clear-text malicious ctm delta? To avoid those kind of attacks I only take the "decrypted" contents of the mail and verify the status fd to check that the mail only contains the parts I expect (one block followed by a good signature with the correct key and nothing else following). The script is attached (all the mentioned directories under /usr/ctm can only be written to by the uucp user). Note, however, that my set-up is slightly different, as I forward the ctm mails from my mail server to my FreeBSD machines via uucp. Regards, Klaus --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=uucp-ctm-rmail-svn #!/usr/local/bin/perl -w umask 0022; my $name = `date +%Y-%m-%d-%H:%M:%S`; chomp($name); $name .= "-$$"; open(DROP,">","/usr/ctm/incomming/$name") or die "Failed to open $name in dropdir ($!)\n"; while() { print DROP $_; } close(DROP) or die "Failed to close $name in dropdir ($!)\n"; ## Check signatures my $dropname = "/usr/ctm/incomming/$name"; my $plainname = "/usr/ctm/sigs/" . $name . "-plain"; my $logname = "/usr/ctm/sigs/" . $name . "-log"; my $statusname = "/usr/ctm/sigs/" . $name . "-status"; my $keyring = "/root/uucpkeyring"; system "gpg --no-default-keyring --keyring \Q$keyring\E --status-fd 3 -d < \Q$dropname\E > \Q$plainname\E 2> \Q$logname\E 3> \Q$statusname\E"; ## Interpret signature check open(STATUS,"<",$statusname); $line = ; chomp($line); $line =~ /^\[GNUPG:\] PLAINTEXT 74 0/ or exit 0; $line = ; chomp($line); $line =~ /^\[GNUPG:\] NEWSIG/ or exit 0; $line = ; chomp($line); $line =~ /^\[GNUPG:\] SIG_ID/ or exit 0; $line = ; chomp($line); $line =~ /^\[GNUPG:\] GOODSIG D047A1D765FE4840/ or exit 0; $line = ; chomp($line); $line =~ /^\[GNUPG:\] VALIDSIG 57C2E2F809F114312EB326F9D047A1D765FE4840/ or exit 0; $line = ; chomp($line); $line =~ /^\[GNUPG:\] TRUST/ or exit 0; $line = ; ! $line or exit 0; close(STATUS); ## if reached here, signature is good and we can trust $plainname my $goodname = "/usr/ctm/goodmails/" . $name; rename $plainname, $goodname; exit 0; --YiEDa0DAkWCtVeE4--