On Thu, 26 Mar 2015, Steve Jenkins wrote:
> List seems quiet lately...
> I posted this a while back:
>
> http://lists.opendkim.org/archive/opendkim/dev/2015/03/2039.html
>
> But didn't get any response. To recap, someone is suggesting that the
> /var/run/opendkim directory (which holds the opendkim.pid file) be 775
> instead of 755.
>
> Apparently this helps with configs where the MTA user (sendmail,postfix,
> etc.) is in the opendkim group.
>
> Can anyone see any security or performance issue with allowing
> /var/run/opendkim to be 775 instead of 755?
>
> If not, I may as well change that in the package to allow for those
> types of configs.
If the only thing that lives there is the pid file, I can't imagine any
serious damage being possible with this change. Worst case the pid file
gets improperly removed (meaning the filter can no longer be stopped with
scripts), or changed to something else. The latter case is more
interesting, because if I can become the MTA user, I can replace that pid
with "1", meaning trying to stop opendkim actually has a more destructive
effect.
That doesn't seem to be a very interesting attack though if I can become
the MTA user.
-MSK
Received on Sun Mar 29 2015 - 07:27:28 PST