| NBDB_REINDEXD(8) | System Manager's Manual | NBDB_REINDEXD(8) |
NAME
nbdb_reindexd - Postfix non-Berkeley-DB migration
SYNOPSIS
nbdb_reindexd [generic Postfix daemon options]
DESCRIPTION
NOTE: This service should be enabled only temporarily to generate most of the non-Berkeley-DB indexed files that Postfix needs. Leaving this service enabled may expose the system to privilege-escalation attacks.
The nbdb_reindexd(8) server handles requests to generate a non-Berkeley-DB indexed database file for an existing Berkeley DB database (example: "hash:/path/to/file" or "btree:/path/to/file"). It implements the service by running the postmap(1) or postalias(1) command with appropriate privileges.
The service reports a success status when the non-Berkeley-DB indexed file already exists. This can happen when multiple clients make the same request. When one request is completed successfully, the service also reports success for the other requests.
This service enforces the following safety policy:
- The legacy Berkeley DB indexed file must exist (file name ends in ".db"). The nbdb_reindexd(8) service will use the owner"s (uid, gid) of this file, when it runs postmap(1) or postalias(1). It also uses the (uid,gid) for a number of safety checks as described next.
- The non-indexed source file must exist (file name without ".db" suffix). This file is needed as input for postmap(1) or postalias(1). The file must be owned by "root" or by the above uid, and must not allow "group" or "other" write access.
- The parent directory must be owned by "root" or by the above uid, and it must not allow "group" or "other" write access.
- Additionally, the "non_bdb_migration_allow_root_prefixes" parameter limits the source file directory prefixes that are allowed when this service needs to run postmap(1) or postalias(1) with "root" privileges.
- A similar parameter, "non_bdb_migration_allow_user_prefixes", limits the source file directory prefixes that are allowed when this service needs to run postmap(1) or postalias(1) as an unprivileged user.
SECURITY
The nbdb_reindexd(8) server is security sensitive. It accepts requests only from processes that can access sockets under $queue_directory/private (i.e., processes that run with "root" or "mail_owner" (usually, postfix) privileges).
The threat is therefore a corrupted Postfix daemon process that wants to elevate privileges, by sending requests with crafted pathnames, and racing against the service by quickly swapping files or directories, hoping that Postfix will be tricked to overwrite a sensitive file with attacker-controlled data.
When the service runs postmap(1) or postalias(1) as "root", such racing attacks should not be possible if non_bdb_migration_allow_root_prefixes specifies only prefixes that are already trusted.
This service could block all requests with crafted pathnames, if given complete information about all lookup tables that are referenced through Postfix configuration files. Unfortunately that information was not available at the time that this program was needed.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8) or postlogd(8). If an attempt to create an index file fails, this service will attempt to delete the incomplete file.
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically, as nbdb_reindexd(8) processes are long-lived. Use the command "postfix reload" after a configuration change.
The text below provides only a parameter summary. See postconf(5) for more details including examples.
SERVICE-SPECIFIC CONTROLS
- non_bdb_migration_level (disable)
- The non-Berkeley-DB migration service level.
- non_bdb_migration_allow_root_prefixes (see 'postconf -d non_bdb_migration_allow_root_prefixes' output)
- A list of trusted pathname prefixes that must be matched when the non-Berkeley-DB migration service (nbdb_reindexd(8)) needs to run postmap(1) or postalias(1) commands with "root" privilege.
- non_bdb_migration_allow_user_prefixes (see 'postconf -d non_bdb_migration_allow_user_prefixes' output)
- A list of trusted pathname prefixes that must be matched when the non-Berkeley-DB migration service (nbdb_reindexd(8)) needs to run postmap(1) or postalias(1) commands with non-root privilege.
MISCELLANEOUS CONTROLS
- config_directory (see 'postconf -d' output)
- The default location of the Postfix main.cf and master.cf configuration files.
- process_id (read-only)
- The process ID of a Postfix command or daemon process.
- process_name (read-only)
- The process name of a Postfix command or daemon process.
- syslog_facility (mail)
- The syslog facility of Postfix logging.
- syslog_name (see 'postconf -d' output)
- A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd".
- service_name (read-only)
- The master.cf service name of a Postfix daemon process.
SEE ALSO
postfix-non-bdb(1), migration management postconf(5), configuration parameters postlogd(8), Postfix logging syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this information.
NON_BERKELEYDB_README, Non-Berkeley-DB migration guide
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This service was introduced with Postfix version 3.11.
AUTHOR(S)
Wietse Venema porcupine.org