Mercurial > docs > diploma
comparison thesis/tex/5-Improvements.tex @ 341:a5f167ca2a01
some work on permissions
| author | meillo@marmaro.de |
|---|---|
| date | Mon, 26 Jan 2009 16:00:51 +0100 |
| parents | a13392b4fee8 |
| children | f44603443e2d |
comparison
equal
deleted
inserted
replaced
| 340:a13392b4fee8 | 341:a5f167ca2a01 |
|---|---|
| 428 | 428 |
| 429 | 429 |
| 430 | 430 |
| 431 \subsubsection*{Rights and permission} | 431 \subsubsection*{Rights and permission} |
| 432 | 432 |
| 433 The set of system users that is required for \qmail\ seems to be too complex. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission needs to be avoided as feasible. | 433 The set of system users that is required for \qmail\ seems to be too complex for \masqmail. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission should to be avoided as feasible. |
| 434 | 434 |
| 435 Table \ref{tab:new-masqmail-permissions} shows the suggested ownership and permissions of the modules. | 435 The \name{queue-in} module is the part of the system that is most critical about permission. It either needs to run as deamon (as a specific user) or be \name{setuid} or \name{setgid} in order to avoid a world-writable queue. \person{Ian~R.\ Justman} recommends to use \name{setgid} in this situation: |
| 436 | 436 |
| 437 \begin{table} | 437 \begin{quote} |
| 438 \begin{center} | 438 But if all you need to do is post a file into an area which does not have world writability but does have group writability, and you want accountability, the best, and probably easiest, way to accomplish this without the need for excess code for uid switching (which is tricky to deal with especially with setuid-to-root programs) is the setgid bit and a group-writable directory. |
| 439 \input{tbl/new-masqmail-permissions.tbl} | 439 \hfill\cite{justman:bugtraq} |
| 440 \end{center} | 440 \end{quote} |
| 441 \caption{Ownership and permissions of the modules} | 441 |
| 442 \label{tab:new-masqmail-permission} | 442 \person{Bernstein} chose \name{setuid} for the \name{qmail-queue} module, \person{Venema} uses \name{setgid} in \postfix, the differences are small. But each of them is better than running the module as a deamon. A deamon needs more resources and therefore become inefficient on systems with low mail amount like the ones \masqmail\ will probably run on. Short running processes are additionally higher obstacles for intruders because if an intruder managed to take one over it will die soon. |
| 443 \end{table} | 443 |
| 444 | 444 |
| 445 These are the permissions and ownership used for the queue: | 445 \subsubsection*{Daemon processes} |
| 446 \codeinput{input/new-masqmail-queue.txt} | 446 |
| 447 | 447 The modules \name{scanning} and \name{queue-out} are candidates for all-time running processes. But they could also get periodically started by \name{cron}. |
| 448 | 448 |
| 449 | 449 how is which process invoked? |
| 450 | 450 |
| 451 | 451 |
| 452 setuid/setgid or not? | 452 |
| 453 master process? needed, or wanted? | |
| 454 | |
| 455 | |
| 456 | |
| 457 where to drop privilege? needed? | |
| 458 | |
| 453 | 459 |
| 454 what can crash if an attacker succeeds? | 460 what can crash if an attacker succeeds? |
| 455 | 461 |
| 456 where to drop privilege? | 462 |
| 457 | 463 |
| 458 how is which process invoked? | 464 |
| 459 | 465 |
| 460 master process? needed, or wanted? | 466 %Table \ref{tab:new-masqmail-permissions} shows the suggested ownership and permissions of the modules. |
| 461 | 467 % |
| 462 which are the daemon processes? | 468 %\begin{table} |
| 463 | 469 % \begin{center} |
| 464 | 470 % \input{tbl/new-masqmail-permissions.tbl} |
| 465 | 471 % \end{center} |
| 466 | 472 % \caption{Ownership and permissions of the modules} |
| 467 | 473 % \label{tab:new-masqmail-permission} |
| 468 | 474 %\end{table} |
| 469 | 475 % |
| 470 http://fanf.livejournal.com/50917.html %how not to design an mta - the sendmail command | 476 %These are the permissions and ownership used for the queue: |
| 471 http://fanf.livejournal.com/51349.html %how not to design an mta - partitioning for security | 477 %\codeinput{input/new-masqmail-queue.txt} |
| 472 http://fanf.livejournal.com/61132.html %how not to design an mta - local delivery | 478 |
| 473 http://fanf.livejournal.com/64941.html %how not to design an mta - spool file format | 479 |
| 474 http://fanf.livejournal.com/65203.html %how not to design an mta - spool file logistics | |
| 475 http://fanf.livejournal.com/65911.html %how not to design an mta - more about log-structured MTA queues | |
| 476 http://fanf.livejournal.com/67297.html %how not to design an mta - more log-structured MTA queues | |
| 477 http://fanf.livejournal.com/70432.html %how not to design an mta - address verification | |
| 478 http://fanf.livejournal.com/72258.html %how not to design an mta - content scanning | |
| 479 | |
| 480 | |
| 481 |