# HG changeset patch # User meillo@marmaro.de # Date 1232982051 -3600 # Node ID a5f167ca2a01c60cee3e6c4bcc682098033aad90 # Parent a13392b4fee8a351795f91b218e07ae517f8b1a9 some work on permissions diff -r a13392b4fee8 -r a5f167ca2a01 thesis/bib/thesis.bib --- a/thesis/bib/thesis.bib Mon Jan 26 13:36:51 2009 +0100 +++ b/thesis/bib/thesis.bib Mon Jan 26 16:00:51 2009 +0100 @@ -218,7 +218,7 @@ author = "Rick Moen and Ted Cabeen and Bastian Blank and Sean Burlington and Simon Cooper and J. C. Lawrence", title = "Subject: \emph{email server question...}", year = "2002--2003", - howpublished = "This is a discussion on the mailing list \emph{plug@lists.q-linux.com} in Fall 2002.", + howpublished = "This is a discussion on the mailing list \emph{plug@lists.q-linux.com}", note = "Available on the Internet: {\small\url{http://linuxmafia.com/faq/Mail/mtas.html} (2008-12-09)}", } @@ -456,3 +456,17 @@ howpublished = "On the Internet: {\small\url{http://fanf.livejournal.com/65203.html} (2009-01-26)}", note = "Part 5 of the series ``\emph{How not to design an MTA}'' which is accessable at: {\small\url{http://dotat.at/writing/mta-arch}}. His articles ``\emph{More about log-structured queues}'' and ``\emph{More log-structured queues}'' discuss the idea in more detail.", } + + +@misc{justman:bugtraq, + author = "Ian~R. Justman", + title = "Subject: \emph{setuid vs. setgid}", + year = "1999", + month = "January", + howpublished = "This is a post to the \emph{Bugtraq} mailing list \emph{bugtraq@securityfocus.com}", + note = "Available on the Internet: {\small\url{http://seclists.org/bugtraq/1999/Jan/0099.html} (2009-01-26)}", +} + + + + diff -r a13392b4fee8 -r a5f167ca2a01 thesis/tex/5-Improvements.tex --- a/thesis/tex/5-Improvements.tex Mon Jan 26 13:36:51 2009 +0100 +++ b/thesis/tex/5-Improvements.tex Mon Jan 26 16:00:51 2009 +0100 @@ -430,52 +430,50 @@ \subsubsection*{Rights and permission} -The set of system users that is required for \qmail\ seems to be too complex. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission needs to be avoided as feasible. +The set of system users that is required for \qmail\ seems to be too complex for \masqmail. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission should to be avoided as feasible. -Table \ref{tab:new-masqmail-permissions} shows the suggested ownership and permissions of the modules. +The \name{queue-in} module is the part of the system that is most critical about permission. It either needs to run as deamon (as a specific user) or be \name{setuid} or \name{setgid} in order to avoid a world-writable queue. \person{Ian~R.\ Justman} recommends to use \name{setgid} in this situation: -\begin{table} - \begin{center} - \input{tbl/new-masqmail-permissions.tbl} - \end{center} - \caption{Ownership and permissions of the modules} - \label{tab:new-masqmail-permission} -\end{table} +\begin{quote} +But if all you need to do is post a file into an area which does not have world writability but does have group writability, and you want accountability, the best, and probably easiest, way to accomplish this without the need for excess code for uid switching (which is tricky to deal with especially with setuid-to-root programs) is the setgid bit and a group-writable directory. +\hfill\cite{justman:bugtraq} +\end{quote} -These are the permissions and ownership used for the queue: -\codeinput{input/new-masqmail-queue.txt} +\person{Bernstein} chose \name{setuid} for the \name{qmail-queue} module, \person{Venema} uses \name{setgid} in \postfix, the differences are small. But each of them is better than running the module as a deamon. A deamon needs more resources and therefore become inefficient on systems with low mail amount like the ones \masqmail\ will probably run on. Short running processes are additionally higher obstacles for intruders because if an intruder managed to take one over it will die soon. +\subsubsection*{Daemon processes} +The modules \name{scanning} and \name{queue-out} are candidates for all-time running processes. But they could also get periodically started by \name{cron}. +how is which process invoked? -setuid/setgid or not? + + +master process? needed, or wanted? + + + +where to drop privilege? needed? + what can crash if an attacker succeeds? -where to drop privilege? -how is which process invoked? -master process? needed, or wanted? -which are the daemon processes? +%Table \ref{tab:new-masqmail-permissions} shows the suggested ownership and permissions of the modules. +% +%\begin{table} +% \begin{center} +% \input{tbl/new-masqmail-permissions.tbl} +% \end{center} +% \caption{Ownership and permissions of the modules} +% \label{tab:new-masqmail-permission} +%\end{table} +% +%These are the permissions and ownership used for the queue: +%\codeinput{input/new-masqmail-queue.txt} - - - - -http://fanf.livejournal.com/50917.html %how not to design an mta - the sendmail command -http://fanf.livejournal.com/51349.html %how not to design an mta - partitioning for security -http://fanf.livejournal.com/61132.html %how not to design an mta - local delivery -http://fanf.livejournal.com/64941.html %how not to design an mta - spool file format -http://fanf.livejournal.com/65203.html %how not to design an mta - spool file logistics -http://fanf.livejournal.com/65911.html %how not to design an mta - more about log-structured MTA queues -http://fanf.livejournal.com/67297.html %how not to design an mta - more log-structured MTA queues -http://fanf.livejournal.com/70432.html %how not to design an mta - address verification -http://fanf.livejournal.com/72258.html %how not to design an mta - content scanning - - -