Usually, qmail-valid-addresses is run as root, and it scans for and
reads all the dot-qmail files as root. This is bad: if a user creates
(say) a symlink to a read-sensitive device with the right name, then
root will open and read the device, causing it to do weird things.
There are also other problems to do with leaking the existence of files
in directories unreadable to the user in question. Even if we were to
check with lstat(2) before reading the file, there's an unavoidable race
between the lstat(2) and the open(2), during which a malicious user
could switch in a link.
The new implementation has qmail-valid-addresses switching effective uid
before scanning that user's home directory. Since all the file I/O is
done as the user who (presumably) owns the files, this can't do any evil
things that user couldn't have done on his own.
This change also fixes a bug which failed to scan dot-qmail files in
subdirectories.
~mdw / qmail / commitdiff