Mercurial > docs > diploma

comparison thesis/tex/5-Improvements.tex @ 348:4ced91b9a2ca

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
reworked last part of permissions
author meillo@marmaro.de
date Tue, 27 Jan 2009 12:13:58 +0100
parents f44603443e2d
children c42c49f33228
comparison
equal deleted inserted replaced
347:d1ea058c0949 348:4ced91b9a2ca
426 426
427 427
428 428
429 429
430 430
431 \subsubsection*{Rights and permission} %fixme: singular, plural? 431 \subsubsection*{Rights and permissions}
432
433 This section leaves quite a few questions open. It is more a discussion on the topic. More information needs to be collected and further studies of the situations in existing \MTA{}s should be made. %fixme: this sentence at the end?
434 432
435 The set of system users that is required for \qmail\ seems to be too complex for \masqmail. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission should to be avoided as feasible. 433 The set of system users that is required for \qmail\ seems to be too complex for \masqmail. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission should to be avoided as feasible.
436 434
437 The \name{queue-in} module is the part of the system that is most critical about permission. It either needs to run as deamon (as a specific user) or be \name{setuid} or \name{setgid} in order to avoid a world-writable queue. \person{Ian~R.\ Justman} recommends to use \name{setgid} in this situation: 435 The \name{queue-in} module is the part of the system that is most critical about permission. It either needs to run as deamon (as a specific user) or be \name{setuid} or \name{setgid} in order to avoid a world-writable queue. \person{Ian~R.\ Justman} recommends to use \name{setgid} in this situation:
438 436
445 443
446 444
447 The modules \name{scanning} and \name{queue-out} are candidates for all-time running daemon processes. But they could also get periodically started by \name{cron}. Another possibility is to run a master process as daemon which starts and restarts the system parts. \postfix\ has such a master process, \qmail\ lacks it. The jobs of a master process can be done by the other tools of the operating system too, thus making the master process abdicable. \masqmail\ does probably better go without a master process because it aims to save resources, not to get the best performance. 445 The modules \name{scanning} and \name{queue-out} are candidates for all-time running daemon processes. But they could also get periodically started by \name{cron}. Another possibility is to run a master process as daemon which starts and restarts the system parts. \postfix\ has such a master process, \qmail\ lacks it. The jobs of a master process can be done by the other tools of the operating system too, thus making the master process abdicable. \masqmail\ does probably better go without a master process because it aims to save resources, not to get the best performance.
448 446
449 447
450 In general is a sane permission management very important for secure software. The \name{principle of least privilege}, as it is often called, should be respected. If it is possible to use lower privilege then it should be done. An example for doing so is the \name{smtpd} module. It is a server module which listens on a port. One way is to start it as root, let it bind to the port and drop all privilege before it does any other work. But root privilege is avoidable completely if \name{inetd} or a similar ``super-server'' listens on the port instead of the \name{smtpd} module, but invokes the module as a connection attempt to the port is made. The \name{smtpd} module needs no privilege at all this way. 448 In general is a sane permission management very important for secure software. The \name{principle of least privilege}, as it is often called, should be respected. If it is possible to use lower privilege then it should be done. An example for doing so is the \name{smtpd} module. It is a server module which listens on a port. One way is to start it as root, let it bind to the port, and drop all privilege before it does any other work. But root privilege is avoidable completely if \name{inetd} or one of its substitutes listens on the port instead of the \name{smtpd} module. The \name{smtpd} module gets launched by \name{inetd} to handle the connection when a connection attempt to the port is made. The \name{smtpd} module needs no privilege at all this way.
451 449
452 450
453 451
454 The important goal with privilege management is to prevent unauthorized users from modifying or damaging the system. Unauthorized users are especially attackers. What can happen if an attacker breaks into \masqmail?
455
456 All revceiving modules communicate only with \name{queue-in} which puts new mail into the queue. They run as user \name{nobody}\footnote{\name{nobody} is on \unix\ systems usually the name for a system user with no privilege.} and write only to log files. Apart of during-\SMTP-dialog spam prevention is their funtionality straight forward: They talk the specific protocol to the sender, receive the message on this way, and pass it over to \name{queue-in}.
457
458 The queue is only modified by \name{queue-in}, \name{scanning}, and \name{queue-out}. All of them need to run with either the owner or the group \name{masqmail}. The queue directories must be of owner and group \name{masqmail} and only readable and modifiable by them.
459
460 %XXX
461
462 %fixme
463
464
465
466
467
468
469 %Table \ref{tab:new-masqmail-permissions} shows the suggested ownership and permissions of the modules.
470 %
471 %\begin{table}
472 % \begin{center}
473 % \input{tbl/new-masqmail-permissions.tbl}
474 % \end{center}
475 % \caption{Ownership and permissions of the modules}
476 % \label{tab:new-masqmail-permission}
477 %\end{table}
478 %
479 %These are the permissions and ownership used for the queue:
480 %\codeinput{input/new-masqmail-queue.txt}
481
482