Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 May 2008 19:02:48 GMT
From:      Richard Stockton <stockton@mail.adhost.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/123529: master.passwd info included in postfix transport.db
Message-ID:  <200805081902.m48J2mNM070159@www.freebsd.org>
Resent-Message-ID: <200805081910.m48JA18n053877@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         123529
>Category:       misc
>Synopsis:       master.passwd info included in postfix transport.db
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 08 19:10:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Richard Stockton
>Release:        6.x (actually happens on all 6.x  versions)
>Organization:
Adhost Internet
>Environment:
FreeBSD mail-in03.adhost.com 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Tue May 22 13:48:59 PDT 2007     stockton@mail-in03.adhost.com:/usr/src/sys/i386/compile/MAIL-IN03  i386
>Description:
These machines are incoming mail servers all running postfix 2.5.0.  When changing the transport table with "postmap" or running "newaliases" the .db file created contains not only the contents of the "transport" (or "aliases") file, but also the contents of the "/etc/master.passwd" file.  Obviously a security concern.

Wietse Veneme (wietse@porcupine.org) the author of postfix suggests this:
> Apparently, some SYSTEM LIBRARY Berkeley DB routine writes
> uninitialized memory to file. Postfix does not write Berkeley DB
> files directly.
>
> Have you sent a bug report to the FreeSBD bugs database?
>
> Solaris had a similar problem years ago with the tar(1) command.
> Not nice if you were putting tar files on anonymous FTP servers.


>How-To-Repeat:
Use postfix's "newalaises" or "postmap" to create .db files.

I believe the problem may be that the default "db.h" file shipped with FreeBSD is very old (version 1?) and even if you install BerkeleyDB via ports, ("/usr/ports/databases/db44"), that old db.h remains.  I suspect that postfix uses that old db.h file when compiling "postmap" and "newaliases".

>Fix:
I was able to fix the problem by using "makemap".

    makemap -N hash /etc/postfix/transport < /etc/postfix/transport
    makemap -N hash /etc/mail/aliases < /etc/mail/aliases


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805081902.m48J2mNM070159>