postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Is there potential OS command injection attac

Re: Is there potential OS command injection attack in forwarding e-mail to command?

From: Jeroen Geilman <jeroen_at_nospam>
Date: Fri Oct 22 2010 - 12:27:31 GMT
To: postfix-users@postfix.org

On 10/22/2010 11:32 AM, Kousuke Ebihara wrote:
> Hi,
>
> I have a question about OS command injection attack in forwarding
> e-mail to command.
>
> Postfix alias database allows the following configuration. It forwards
> to e-mail to the specified command:
>
> alias: /path/to/command
>
> I think Postfix executes the following command (my guessing...):
>

No.
Postfix executes these commands directly, nothing is exposed to a shell
or command processor.
The obvious exception is if you run an executable shell script, but you
should always specify the shell to run that with and not rely on the OS
to do that for you.

> echo $e_mail | /path/to/command
>

I suggest you read the documentation for external command execution,
which will tell you what actually happens.

> But e-mail is a kind of user inputted value. So I'm worried that
> Postfix might execute commands in a content of e-mail.
>

Postfix does not parse, process or otherwise influence mail sent to
external commands.
Of course, what your chosen external command does is not under postfix's
control.

> Of course I believe Postfix doesn't execute command by user inputted
> value. But I couldn't find any evidences...
>

The documentation for local(8) and pipe(8) states EXACTLY how and under
which conditions external commands are executed.

http://www.postfix.org/local.8.html

http://www.postfix.org/pipe.8.html

The postfix documentation exlains at length which security implications
running external commands has, and has an excellent track record.
Nothing will ever be executed as root, and delivery is done as the
mailbox user, period.

-- J.