NBDB_REINDEXD
Section: Maintenance Commands (8)
Index
Return to Main Contents
NAME
nbdb_reindexd
-
Postfix non-Berkeley-DB migration
SYNOPSIS
nbdb_reindexd [generic Postfix daemon options]
DESCRIPTION
NOTE: This service should be enabled only temporarily to
generate most of the non-Berkeley-DB indexed files that Postfix
needs. Leaving this service enabled may expose the system to
privilege-escalation attacks.
The nbdb_reindexd(8) server handles requests to generate
a non-Berkeley-DB indexed database file for an existing Berkeley
DB database (example: "hash:/path/to/file" or
"btree:/path/to/file"). It implements the service by running
the postmap(1) or postalias(1) command with appropriate
privileges.
The service reports a success status when the non-Berkeley-DB
indexed file already exists. This can happen when multiple clients
make the same request. When one request is completed successfully,
the service also reports success for the other requests.
This service enforces the following safety policy:
- *
-
The legacy Berkeley DB indexed file must exist (file name ends in
".db"). The nbdb_reindexd(8) service will use the owner"s (uid,
gid) of this file, when it runs postmap(1) or postalias(1). It
also uses the (uid,gid) for a number of safety checks as
described next.
- *
-
The non-indexed source file must exist (file name without
".db" suffix). This file is needed as input for postmap(1)
or postalias(1). The file must be owned by "root" or by the
above uid, and must not allow "group" or "other" write access.
- *
-
The parent directory must be owned by "root" or by the above uid,
and it must not allow "group" or "other" write access.
- *
-
Additionally, the "non_bdb_migration_allow_root_prefixes"
parameter limits the source file directory prefixes that are
allowed when this service needs to run postmap(1) or postalias(1)
with "root" privileges.
- *
-
A similar parameter, "non_bdb_migration_allow_user_prefixes",
limits the source file directory prefixes that are allowed when
this service needs to run postmap(1) or postalias(1) as an
unprivileged user.
SECURITY
The
nbdb_reindexd(8) server is security sensitive. It accepts
requests only from processes that can access sockets under
$queue_directory/private (i.e., processes that run with "root"
or "mail_owner" (usually, postfix) privileges).
The threat is therefore a corrupted Postfix daemon process that
wants to elevate privileges, by sending requests with crafted
pathnames, and racing against the service by quickly swapping
files or directories, hoping that Postfix will be tricked to
overwrite a sensitive file with attacker-controlled data.
When the service runs postmap(1) or postalias(1) as
"root", such racing attacks should not be possible if
non_bdb_migration_allow_root_prefixes specifies only prefixes
that are already trusted.
This service could block all requests with crafted pathnames,
if given complete information about all lookup tables that are
referenced through Postfix configuration files. Unfortunately
that information was not available at the time that this program
was needed.
DIAGNOSTICS
Problems and transactions are logged to
syslogd(8) or
postlogd(8). If an attempt to create an index file fails, this
service will attempt to delete the incomplete file.
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically, as
nbdb_reindexd(8) processes are long-lived. Use the command
"postfix reload" after a configuration change.
The text below provides only a parameter summary. See
postconf(5) for more details including examples.
SERVIC-SPECIFIC CONTROLS
- non_bdb_migration_level (disable)
-
The non-Berkeley-DB migration service level.
- non_bdb_migration_allow_root_prefixes (see 'postconf-d non_bdb_migration_allow_root_prefixes' output)
-
A list of trusted pathname prefixes that must be matched when
the non-Berkeley-DB migration service (nbdb_reindexd(8)) needs to
run postmap(1) or postalias(1) commands with "root" privilege.
- non_bdb_migration_allow_user_prefixes (see 'postconf-d non_bdb_migration_allow_user_prefixes' output)
-
A list of trusted pathname prefixes that must be matched when
the non-Berkeley-DB migration service (nbdb_reindexd(8)) needs to
run postmap(1) or postalias(1) commands with non-root privilege.
MISCELLANEOUS CONTROLS
- config_directory (see 'postconf-d' output)
-
The default location of the Postfix main.cf and master.cf
configuration files.
- process_id (read-only)
-
The process ID of a Postfix command or daemon process.
- process_name (read-only)
-
The process name of a Postfix command or daemon process.
- syslog_facility (mail)
-
The syslog facility of Postfix logging.
- syslog_name (see 'postconf-d' output)
-
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
- service_name (read-only)
-
The master.cf service name of a Postfix daemon process.
SEE ALSO
postfix-non-bdb(1), migration management
postconf(5), configuration parameters
postlogd(8), Postfix logging
syslogd(8), system logging
README FILES
Use "
postconf readme_directory" or
"
postconf html_directory" to locate this information.
NON_BERKELEYDB_README, Non-Berkeley-DB migration guide
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This service was introduced with Postfix version 3.11.
AUTHOR(S)
Wietse Venema
porcupine.org
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- SECURITY
-
- DIAGNOSTICS
-
- CONFIGURATION PARAMETERS
-
- SERVICE-SPECIFIC CONTROLS
-
- MISCELLANEOUS CONTROLS
-
- SEE ALSO
-
- README FILES
-
- LICENSE
-
- HISTORY
-
- AUTHOR(S)
-
|
|
- Running on 
-
:
