[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#3036: automatic adduser/addgroup in postinst (was Re: fingerd)

Ian Jackson:
 > Compiled-in uids need to be the same across all systems
 > (potentially) running the same binary, and have a large chance of
 > clashing with uids allocated locally for other purposes.  Therefore
 > we can only alloocate a small range (0-99 and perhaps some high
 > ones) for centrally and statically allocated immutable uids.

The real issue here isn't that compiled in uids shouldn't be used --
the real issue is whether or not qmail makes good use of them.

 > Does qmail do the uid lookups at runtime, or can it be made to ?
 > If so then that would be better, because then it can use uids which
 > have been allocated by adduser according to whatever policy the
 > local sysadmin sets in the adduser.conf (when adduser is fixed ...)

qmail uses exec() a lot (to manage security partitioning), so runtime
lookup could result in a big performance hit.  Furthermore, making
this runtime configurable would allow new opportunities for
mismanagment without really adding any functionality.  Thus, I think
this solution should be considered as a hack and not a real solution.

Also, note that qmail uses only five distinct user ids, and one
distinct gid (it should need to use a second if the group id "nobody"
is allowed to own any files).

One of the user ids is used for alias support.  One of the user ids is
used for qmail's internal queue management.  One of the user ids is
used for smtpd.  One of the user ids is used for the sending mail
interface (e.g. before the decision is made for sending it locally or
sending it remotely).  The final user id is used for smtp client

Each handoff point is coded defensively.  Thus, for example, a
security hole in smtpd wouldn't affect the integrity of other mail

Since sendmail tries to do all these things in the same program, it's
reasonable to expect qmail (as a system) to provide all these
features.  However, these really are separate functional areas, and
their need to manipulate files leads to this need for separate user

Basically, I think that qmail's use of these ids is justified.  I
think that if these should be made configurable we should put together
a kit to make all non-root system ids configurable.


Reply to: