On Wed, 16 Jul 2003 11:53:32 +1000 Russell Coker <russell@coker.com.au> wrote: > This means that if there is a bug in one part of the daemon's operations it is > likely that it will be able to get full access to the user's home > directories. You mean, of course, in those code paths which happen *BEFORE* it drops privileges. That is hardly the same thing as "any bit of code". In fact, could you please describe how dropping privileges is architecturally less secure than having different daemons (always) running under their respective uids/gids? I mean, one of those qmail/postfix processes needs to be running as root quite often, so that it can change the the appropriate uid/gid for delivery. So you just need to find one vulnerability there, and you're all set. Is this not comparable to finding one vulnerability in the code that's run before the monolithic binary drops its privileges? > Postfix and Qmail have a number of small programs running as > non-root which do a small number of well defined tasks. This means that if > one of those programs has a bug triggered by a buffer overflow it must then > be tricked into exploiting the next program in the chain before access to the > user home directories is gained. This means that exploiting a mail server is > not a simple matter of finding a single bug, but a long and arduous process. > > Finally if using a modified Linux kernel for extra security such as Security > Enhanced Linux you have better control over Postfix or Qmail than Sendmail or > Exim. Yeah, please see above.
Attachment:
pgpmR3WkNNaFg.pgp
Description: PGP signature