From 1ab21063923173d545d4eafca0737f29b71ffa12 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Thu, 26 Nov 2009 16:16:01 +0300 Subject: [PATCH] mail/dovecot: add check for the CVE-2009-3897 to the startup script Signed-off-by: Eygene Ryabinkin --- mail/dovecot/files/dovecot.sh.in | 27 +++++++++++++++++++++++++++ 1 files changed, 27 insertions(+), 0 deletions(-) diff --git a/mail/dovecot/files/dovecot.sh.in b/mail/dovecot/files/dovecot.sh.in index 601bc0d..dbd23a4 100644 --- a/mail/dovecot/files/dovecot.sh.in +++ b/mail/dovecot/files/dovecot.sh.in @@ -34,6 +34,33 @@ start_precmd() login_gid=$(/usr/sbin/pw usershow -n "${login_user}" 2>/dev/null | /usr/bin/cut -d: -f4) /usr/bin/install -o root -g wheel -m 0755 -d ${base_dir} /usr/bin/install -o root -g ${login_gid} -m 0750 -d ${login_dir} + # Walk the parents of base_dir and check that they aren't + # 0777: Dovecot < 1.2.8 could create the whole hierarchy + # with 0777 -- this is CVE-2009-3897. Currently Dovecot + # checks permissions of the base_dir by itself, but it doesn't + # care about parent directories, so we handle them there. + local dirs_0777 parent_dir + parent_dir=`realpath "$base_dir"` + parent_dir=`dirname "$parent_dir"` + while [ "$parent_dir" != "/" ]; do + if [ "`stat -f '%Lp' "$parent_dir"`" = 777 ]; then + if [ -z "$dirs_0777" ]; then + dirs_0777=" $parent_dir" + else + dirs_0777="$dirs_0777 + $parent_dir" + fi + fi + parent_dir=`dirname "$parent_dir"` + done + + if [ -n "$dirs_0777" ]; then + echo "WARNING: the following directories have mode 0777:" + echo "$dirs_0777" + echo "WARNING: This may be due to the CVE-2009-3897," + echo "WARNING: so you are advised to check if such permissions" + echo "WARNING: are really needed and, if possible, fix the modes." + fi >&2 } stop_postcmd() -- 1.6.5.3