Suggestion. scripts - file permissions

[m6a4]

REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER:

• iRedMail version (check /etc/iredmail-release): 1.5.2
• Deployed with iRedMail Easy or the downloadable installer? downloadable inst.
• Linux/BSD distribution name and version: Debian 10
• Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
• Web server (Apache or Nginx): NginX
• Manage mail accounts with iRedAdmin-Pro? no
• [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

Hi,

there are several scripts executed by root via cron.
The scripts themselves are owned by normal users:
e.g.
in: opt/www/iredadmin/tools:

• cleanup-amavisd_db.py
• cleanup_db.py
• delete_mailboxes.py

are owned by iredadmin

This setting can be used for privilege escalation to root for this user.
Setting the shell to nologin doesn’t mitigate this completely.

Suggestion:
set the file owner for the scripts in root’s crontab to root:root,
remove ability to be written by user/world for them.

Sincerely,

Michael

[iredmail]

Suggestion accepted. Will change this soon.

cleanup_amavisd_db.py and cleanup_db.py could be moved to "iredadmin" user's cron job since they are pure sql operations, but delete_mailboxes.py must be ran as root (or "vmail") user since it requires the privilege to remove files under /var/vmail/vmail1.