In <[🔎] 4a43cd93.1c07d00a.02ca.3888@mx.google.com>, Sthu Deus wrote: >Thank You for Your time and answer, Todd: >> You can probably screw up any service if you try hard enough. Postfix is >> relatively secure, at least when compared to sendmail. As root, though, >> you're responsible for the security of your configurations if you >> deviate from the defaults. > >Well. I did not press on it hard. I just made the service to do what it > should. Yet I'm not a developer nor security expert and therefore do not > know which security issues the software brings up just because something > is not turned on or off. Here comes my question: is it possible to have > such issues (that an attacker can get *root* privileges) or not. Yes, it is possible. It is not likely unless you are running, as part of the mail exchange and delivery process, (a) a script or binary you wrote yourself, as root (b) a script or binary that is not meant to be run as root, as root, or (c) a suid-root binary, as any user. It is even less likely unless you are running, as part of the mail exchange and delivery process, a script or binary you wrote yourself, as non-root, and a local privilege escalation attack is released for the kernel or one of the suid-root binaries on your system. There may be other vectors I haven't covered. I have no formal security credentials and have never held a position that was security-focused. You should educate yourself about security issues until you are fairly confident that you are safe or have a security expert audit your configuration. At the end of the day, *you* are responsible for the security of your systems -- both free software and proprietary software (generally) explicitly disclaim any liability no matter what their marketing may say. >Also it is interesting just out of curiosity - is it possible that some >malicious software can remain in hardware somewhere if I reformatted the >previously hacked install? Can your kernel flash your BIOS? In theory it could hide there and in whatever NVRAM your system has. When you "reformat" do you simply repartition and recreate filesystems, leaving your MBR intact? It could hide there. It would take some effort and luck, but it could hide in data drives and wait for an unsuspecting user to run it, or add data directories to some users' PATHs by modifying their profile. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.