NBDB_REINDEXD(8) System Manager's Manual NBDB_REINDEXD(8)
NAME
nbdb_reindexd - Postfix non-Berkeley-DB migration
SYNOPSIS
nbdb_reindexd [generic Postfix daemon options]
DESCRIPTION
NOTE: This service should be enabled only temporarily to generate most
of the non-Berkeley-DB indexed files that Postfix needs. Leaving this
service enabled may expose the system to privilege-escalation attacks.
The nbdb_reindexd(8) server handles requests to generate a non-Berke‐
ley-DB indexed database file for an existing Berkeley DB database (ex‐
ample: "hash:/path/to/file" or "btree:/path/to/file"). It implements
the service by running the postmap(1) or postalias(1) command with ap‐
propriate privileges.
The service reports a success status when the non-Berkeley-DB indexed
file already exists. This can happen when multiple clients make the
same request. When one request is completed successfully, the service
also reports success for the other requests.
This service enforces the following safety policy:
• The legacy Berkeley DB indexed file must exist (file name ends
in ".db"). The nbdb_reindexd(8) service will use the owner"s
(uid, gid) of this file, when it runs postmap(1) or postal‐
ias(1). It also uses the (uid,gid) for a number of safety checks
as described next.
• The non-indexed source file must exist (file name without ".db"
suffix). This file is needed as input for postmap(1) or postal‐
ias(1). The file must be owned by "root" or by the above uid,
and must not allow "group" or "other" write access.
• The parent directory must be owned by "root" or by the above
uid, and it must not allow "group" or "other" write access.
• Additionally, the "non_bdb_migration_allow_root_prefixes" para‐
meter limits the source file directory prefixes that are allowed
when this service needs to run postmap(1) or postalias(1) with
"root" privileges.
• A similar parameter, "non_bdb_migration_allow_user_prefixes",
limits the source file directory prefixes that are allowed when
this service needs to run postmap(1) or postalias(1) as an un‐
privileged user.
SECURITY
The nbdb_reindexd(8) server is security sensitive. It accepts requests
only from processes that can access sockets under $queue_directory/pri‐
vate (i.e., processes that run with "root" or "mail_owner" (usually,
postfix) privileges).
The threat is therefore a corrupted Postfix daemon process that wants
to elevate privileges, by sending requests with crafted pathnames, and
racing against the service by quickly swapping files or directories,
hoping that Postfix will be tricked to overwrite a sensitive file with
attacker-controlled data.
When the service runs postmap(1) or postalias(1) as "root", such racing
attacks should not be possible if non_bdb_migration_allow_root_prefixes
specifies only prefixes that are already trusted.
This service could block all requests with crafted pathnames, if given
complete information about all lookup tables that are referenced
through Postfix configuration files. Unfortunately that information was
not available at the time that this program was needed.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8) or postlogd(8). If
an attempt to create an index file fails, this service will attempt to
delete the incomplete file.
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically, as nbdb_reindexd(8)
processes are long-lived. Use the command "postfix reload" after a con‐
figuration change.
The text below provides only a parameter summary. See postconf(5) for
more details including examples.
SERVICE-SPECIFIC CONTROLS
non_bdb_migration_level (disable)
The non-Berkeley-DB migration service level.
non_bdb_migration_allow_root_prefixes (see 'postconf -d non_bdb_migra‐
tion_allow_root_prefixes' output)
A list of trusted pathname prefixes that must be matched when
the non-Berkeley-DB migration service (nbdb_reindexd(8)) needs
to run postmap(1) or postalias(1) commands with "root" privi‐
lege.
non_bdb_migration_allow_user_prefixes (see 'postconf -d non_bdb_migra‐
tion_allow_user_prefixes' output)
A list of trusted pathname prefixes that must be matched when
the non-Berkeley-DB migration service (nbdb_reindexd(8)) needs
to run postmap(1) or postalias(1) commands with non-root privi‐
lege.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf con‐
figuration files.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
service_name (read-only)
The master.cf service name of a Postfix daemon process.
SEE ALSO
postfix-non-bdb(1), migration management
postconf(5), configuration parameters
postlogd(8), Postfix logging
syslogd(8), system logging
README FILES
NON_BERKELEYDB_README, Non-Berkeley-DB migration guide
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This service was introduced with Postfix version 3.11.
AUTHOR(S)
Wietse Venema
porcupine.org
NBDB_REINDEXD(8)