docs/diploma

diff thesis/tex/5-Improvements.tex @ 341:a5f167ca2a01

find changesets by author, revision, files, or words in the commit message
some work on permissions
author meillo@marmaro.de
date Mon, 26 Jan 2009 16:00:51 +0100
parents a13392b4fee8
children f44603443e2d
line diff
     1.1 --- a/thesis/tex/5-Improvements.tex	Mon Jan 26 13:36:51 2009 +0100
     1.2 +++ b/thesis/tex/5-Improvements.tex	Mon Jan 26 16:00:51 2009 +0100
     1.3 @@ -430,52 +430,50 @@
     1.4  
     1.5  \subsubsection*{Rights and permission}
     1.6  
     1.7 -The set of system users that is required for \qmail\ seems to be too complex. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission needs to be avoided as feasible.
     1.8 +The set of system users that is required for \qmail\ seems to be too complex for \masqmail. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission should to be avoided as feasible.
     1.9  
    1.10 -Table \ref{tab:new-masqmail-permissions} shows the suggested ownership and permissions of the modules.
    1.11 +The \name{queue-in} module is the part of the system that is most critical about permission. It either needs to run as deamon (as a specific user) or be \name{setuid} or \name{setgid} in order to avoid a world-writable queue. \person{Ian~R.\ Justman} recommends to use \name{setgid} in this situation:
    1.12  
    1.13 -\begin{table}
    1.14 -	\begin{center}
    1.15 -		\input{tbl/new-masqmail-permissions.tbl}
    1.16 -	\end{center}
    1.17 -	\caption{Ownership and permissions of the modules}
    1.18 -	\label{tab:new-masqmail-permission}
    1.19 -\end{table}
    1.20 +\begin{quote}
    1.21 +But if all you need to do is post a file into an area which does not have world writability but does have group writability, and you want accountability, the best, and probably easiest, way to accomplish this without the need for excess code for uid switching (which is tricky to deal with especially with setuid-to-root programs) is the setgid bit and a group-writable directory.
    1.22 +\hfill\cite{justman:bugtraq}
    1.23 +\end{quote}
    1.24  
    1.25 -These are the permissions and ownership used for the queue:
    1.26 -\codeinput{input/new-masqmail-queue.txt}
    1.27 +\person{Bernstein} chose \name{setuid} for the \name{qmail-queue} module, \person{Venema} uses \name{setgid} in \postfix, the differences are small. But each of them is better than running the module as a deamon. A deamon needs more resources and therefore become inefficient on systems with low mail amount like the ones \masqmail\ will probably run on. Short running processes are additionally higher obstacles for intruders because if an intruder managed to take one over it will die soon.
    1.28  
    1.29  
    1.30 +\subsubsection*{Daemon processes}
    1.31  
    1.32 +The modules \name{scanning} and \name{queue-out} are candidates for all-time running processes. But they could also get periodically started by \name{cron}.
    1.33  
    1.34 +how is which process invoked?
    1.35  
    1.36 -setuid/setgid or not?
    1.37 +
    1.38 +
    1.39 +master process? needed, or wanted?
    1.40 +
    1.41 +
    1.42 +
    1.43 +where to drop privilege? needed?
    1.44 +
    1.45  
    1.46  what can crash if an attacker succeeds?
    1.47  
    1.48 -where to drop privilege?
    1.49  
    1.50 -how is which process invoked?
    1.51  
    1.52 -master process? needed, or wanted?
    1.53  
    1.54 -which are the daemon processes?
    1.55  
    1.56 +%Table \ref{tab:new-masqmail-permissions} shows the suggested ownership and permissions of the modules.
    1.57 +%
    1.58 +%\begin{table}
    1.59 +%	\begin{center}
    1.60 +%		\input{tbl/new-masqmail-permissions.tbl}
    1.61 +%	\end{center}
    1.62 +%	\caption{Ownership and permissions of the modules}
    1.63 +%	\label{tab:new-masqmail-permission}
    1.64 +%\end{table}
    1.65 +%
    1.66 +%These are the permissions and ownership used for the queue:
    1.67 +%\codeinput{input/new-masqmail-queue.txt}
    1.68  
    1.69  
    1.70 -
    1.71 -
    1.72 -
    1.73 -
    1.74 -http://fanf.livejournal.com/50917.html %how not to design an mta - the sendmail command
    1.75 -http://fanf.livejournal.com/51349.html %how not to design an mta - partitioning for security
    1.76 -http://fanf.livejournal.com/61132.html %how not to design an mta - local delivery
    1.77 -http://fanf.livejournal.com/64941.html %how not to design an mta - spool file format
    1.78 -http://fanf.livejournal.com/65203.html %how not to design an mta - spool file logistics
    1.79 -http://fanf.livejournal.com/65911.html %how not to design an mta -   more about log-structured MTA queues
    1.80 -http://fanf.livejournal.com/67297.html %how not to design an mta -   more log-structured MTA queues
    1.81 -http://fanf.livejournal.com/70432.html %how not to design an mta - address verification
    1.82 -http://fanf.livejournal.com/72258.html %how not to design an mta - content scanning
    1.83 -
    1.84 -
    1.85 -