Re: default MTA for sarge

To: David B Harris <david@eelf.ddts.net>, debian-devel@lists.debian.org
Subject: Re: default MTA for sarge
From: Russell Coker <russell@coker.com.au>
Date: Wed, 16 Jul 2003 17:19:55 +1000
Message-id: <[🔎] 200307161719.55221.russell@coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20030715224550.29b3fd7c.david@eelf.ddts.net>
References: <[🔎] 20030713083151.GA12971@dragon.kitenet.net> <[🔎] 200307161153.32871.russell@coker.com.au> <[🔎] 20030715224550.29b3fd7c.david@eelf.ddts.net>

On Wed, 16 Jul 2003 12:45, David B Harris wrote:
> Russell Coker <russell@coker.com.au> wrote:
> > This means that if there is a bug in one part of the daemon's operations
> > it is likely that it will be able to get full access to the user's home
> > directories.
>
> You mean, of course, in those code paths which happen *BEFORE* it drops
> privileges. That is hardly the same thing as "any bit of code".

In mail servers such as Postfix and Qmail the received mail goes through a 
number of programs before getting delivered.  The authors of these programs 
have done as much as possible to ensure that no program gets needless access 
to the system.  With my SE Linux policy to enforce this the only way that 
Procmail or other delivery agents get run is through the local delivery 
agent.  This means that if you want to exploit Procmail, the scripts that 
users put in their .forward files, or whatever else may be exploited then you 
have to do it by proxy through the regular mail delivery mechanisms.  So 
unless you exploit the local delivery agent then Procmail or other delivery 
programs have to receive something that vaguely looks like an email message 
(which may not permit the exploit).

> In fact, could you please describe how dropping privileges is
> architecturally less secure than having different daemons (always)
> running under their respective uids/gids? I mean, one of those
> qmail/postfix processes needs to be running as root quite often, so that
> it can change the the appropriate uid/gid for delivery. So you just need
> to find one vulnerability there, and you're all set. Is this not

If the vulnerability in the delivery process which runs as root requires that 
it be fed grossly bogus input data, and if the process which feeds it data 
will not feed it invalid data then you don't get anywhere.

> > Finally if using a modified Linux kernel for extra security such as
> > Security Enhanced Linux you have better control over Postfix or Qmail
> > than Sendmail or Exim.
>
> Yeah, please see above.

When Sendmail is running on SE Linux any part of the Sendmail server code is 
permitted to run Procmail (which is SETUID root and has full access to the 
system) or any other local delivery agent (which will have at least 
read/write access to all users' email).

When Postfix is running on SE Linux only the "pipe" and "local" programs can 
do local delivery.

When Qmail is running on SE Linux only the "qmail-lspawn" program can do local 
delivery.

The "pipe", "local", and "qmail-lspawn" programs are significantly smaller 
than the "sendmail" binary in Sendmail, they have less functionality, and are 
therefore easier to audit.

Is this really so difficult to understand?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Re: default MTA for sarge
  - From: David B Harris <david@eelf.ddts.net>

References:
- default MTA for sarge
  - From: Joey Hess <joeyh@debian.org>
- Re: default MTA for sarge
  - From: Russell Coker <russell@coker.com.au>
- Re: default MTA for sarge
  - From: David B Harris <david@eelf.ddts.net>

Prev by Date: Re: mplayer
Next by Date: Re: surfraw ultimatum
Previous by thread: Re: default MTA for sarge
Next by thread: Re: default MTA for sarge
Index(es):
- Date
- Thread