Subject: insecurity report and mtree(8) symlink behaviours
To: NetBSD Current Users <current-users@NetBSD.org>
From: Chris Ross <cross+netbsd@distal.com>
List: current-users
Date: 10/15/2007 11:00:17
Hello there. I may've already asked this question, but I wanted
to inquire again. Since I've just built myself a NetBSD 4.0_RC2
server, and I am choosing to use sendmail rather than postfix on this
machine, I've installed the 8.13 branch of sendmail from pkgsrc. The
instructions given during the install of this pkgsrc package suggest
explicitly to create a symlink from /usr/pkg/share/examples/sendmail/
mailer.conf into /etc.
The issue I have with this is that I now get a nightly insecurity
report from this machine every night, saying:
> Checking special files and directories.
> etc/mailer.conf:
> type (file, link)
I notice that /etc/security has 'check_mtree_follow_symlinks' to
have it pass -L to mtree, which would avoid the above. However, it
will then complain:
> etc/localtime:
> type (link, file)
So, we may have some sort of chicken/egg problem. Or more a
'Catch 22' I suppose. There's no way to suggest that -L should apply
to some, but not all, of the files. Nor should there be, I don't
think. I was trying to look into whether there was a way (with
special.local) to allow mailer.conf to be a link, in addition to the
specification (in special) that it's a file, but even that wouldn't
be *best*, because I really want to know if the link points to a
file, ideally.
Does anyone have any suggestion as to the best way to resolve this
issue?
- Chris