Mercurial > docs > diploma
comparison thesis/tex/5-Improvements.tex @ 343:f44603443e2d
new text about permission
| author | meillo@marmaro.de |
|---|---|
| date | Mon, 26 Jan 2009 23:17:52 +0100 |
| parents | a5f167ca2a01 |
| children | 4ced91b9a2ca |
comparison
equal
deleted
inserted
replaced
| 342:160de840edf9 | 343:f44603443e2d |
|---|---|
| 426 | 426 |
| 427 | 427 |
| 428 | 428 |
| 429 | 429 |
| 430 | 430 |
| 431 \subsubsection*{Rights and permission} | 431 \subsubsection*{Rights and permission} %fixme: singular, plural? |
| 432 | |
| 433 This section leaves quite a few questions open. It is more a discussion on the topic. More information needs to be collected and further studies of the situations in existing \MTA{}s should be made. %fixme: this sentence at the end? | |
| 432 | 434 |
| 433 The set of system users that is required for \qmail\ seems to be too complex for \masqmail. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission should to be avoided as feasible. | 435 The set of system users that is required for \qmail\ seems to be too complex for \masqmail. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission should to be avoided as feasible. |
| 434 | 436 |
| 435 The \name{queue-in} module is the part of the system that is most critical about permission. It either needs to run as deamon (as a specific user) or be \name{setuid} or \name{setgid} in order to avoid a world-writable queue. \person{Ian~R.\ Justman} recommends to use \name{setgid} in this situation: | 437 The \name{queue-in} module is the part of the system that is most critical about permission. It either needs to run as deamon (as a specific user) or be \name{setuid} or \name{setgid} in order to avoid a world-writable queue. \person{Ian~R.\ Justman} recommends to use \name{setgid} in this situation: |
| 436 | 438 |
| 440 \end{quote} | 442 \end{quote} |
| 441 | 443 |
| 442 \person{Bernstein} chose \name{setuid} for the \name{qmail-queue} module, \person{Venema} uses \name{setgid} in \postfix, the differences are small. But each of them is better than running the module as a deamon. A deamon needs more resources and therefore become inefficient on systems with low mail amount like the ones \masqmail\ will probably run on. Short running processes are additionally higher obstacles for intruders because if an intruder managed to take one over it will die soon. | 444 \person{Bernstein} chose \name{setuid} for the \name{qmail-queue} module, \person{Venema} uses \name{setgid} in \postfix, the differences are small. But each of them is better than running the module as a deamon. A deamon needs more resources and therefore become inefficient on systems with low mail amount like the ones \masqmail\ will probably run on. Short running processes are additionally higher obstacles for intruders because if an intruder managed to take one over it will die soon. |
| 443 | 445 |
| 444 | 446 |
| 445 \subsubsection*{Daemon processes} | 447 The modules \name{scanning} and \name{queue-out} are candidates for all-time running daemon processes. But they could also get periodically started by \name{cron}. Another possibility is to run a master process as daemon which starts and restarts the system parts. \postfix\ has such a master process, \qmail\ lacks it. The jobs of a master process can be done by the other tools of the operating system too, thus making the master process abdicable. \masqmail\ does probably better go without a master process because it aims to save resources, not to get the best performance. |
| 446 | 448 |
| 447 The modules \name{scanning} and \name{queue-out} are candidates for all-time running processes. But they could also get periodically started by \name{cron}. | 449 |
| 448 | 450 In general is a sane permission management very important for secure software. The \name{principle of least privilege}, as it is often called, should be respected. If it is possible to use lower privilege then it should be done. An example for doing so is the \name{smtpd} module. It is a server module which listens on a port. One way is to start it as root, let it bind to the port and drop all privilege before it does any other work. But root privilege is avoidable completely if \name{inetd} or a similar ``super-server'' listens on the port instead of the \name{smtpd} module, but invokes the module as a connection attempt to the port is made. The \name{smtpd} module needs no privilege at all this way. |
| 449 how is which process invoked? | 451 |
| 450 | 452 |
| 451 | 453 |
| 452 | 454 The important goal with privilege management is to prevent unauthorized users from modifying or damaging the system. Unauthorized users are especially attackers. What can happen if an attacker breaks into \masqmail? |
| 453 master process? needed, or wanted? | 455 |
| 454 | 456 All revceiving modules communicate only with \name{queue-in} which puts new mail into the queue. They run as user \name{nobody}\footnote{\name{nobody} is on \unix\ systems usually the name for a system user with no privilege.} and write only to log files. Apart of during-\SMTP-dialog spam prevention is their funtionality straight forward: They talk the specific protocol to the sender, receive the message on this way, and pass it over to \name{queue-in}. |
| 455 | 457 |
| 456 | 458 The queue is only modified by \name{queue-in}, \name{scanning}, and \name{queue-out}. All of them need to run with either the owner or the group \name{masqmail}. The queue directories must be of owner and group \name{masqmail} and only readable and modifiable by them. |
| 457 where to drop privilege? needed? | 459 |
| 458 | 460 %XXX |
| 459 | 461 |
| 460 what can crash if an attacker succeeds? | 462 %fixme |
| 463 | |
| 461 | 464 |
| 462 | 465 |
| 463 | 466 |
| 464 | 467 |
| 465 | 468 |