docs/diploma

changeset 348:4ced91b9a2ca

reworked last part of permissions
author meillo@marmaro.de
date Tue, 27 Jan 2009 12:13:58 +0100
parents d1ea058c0949
children bec56f5deea8
files thesis/tex/5-Improvements.tex
diffstat 1 files changed, 2 insertions(+), 33 deletions(-) [+]
line diff
     1.1 --- a/thesis/tex/5-Improvements.tex	Tue Jan 27 12:12:22 2009 +0100
     1.2 +++ b/thesis/tex/5-Improvements.tex	Tue Jan 27 12:13:58 2009 +0100
     1.3 @@ -428,9 +428,7 @@
     1.4  
     1.5  
     1.6  
     1.7 -\subsubsection*{Rights and permission} %fixme: singular, plural?
     1.8 -
     1.9 -This section leaves quite a few questions open. It is more a discussion on the topic. More information needs to be collected and further studies of the situations in existing \MTA{}s should be made. %fixme: this sentence at the end?
    1.10 +\subsubsection*{Rights and permissions}
    1.11  
    1.12  The set of system users that is required for \qmail\ seems to be too complex for \masqmail. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission should to be avoided as feasible.
    1.13  
    1.14 @@ -447,36 +445,7 @@
    1.15  The modules \name{scanning} and \name{queue-out} are candidates for all-time running daemon processes. But they could also get periodically started by \name{cron}. Another possibility is to run a master process as daemon which starts and restarts the system parts. \postfix\ has such a master process, \qmail\ lacks it. The jobs of a master process can be done by the other tools of the operating system too, thus making the master process abdicable. \masqmail\ does probably better go without a master process because it aims to save resources, not to get the best performance.
    1.16  
    1.17  
    1.18 -In general is a sane permission management very important for secure software. The \name{principle of least privilege}, as it is often called, should be respected. If it is possible to use lower privilege then it should be done. An example for doing so is the \name{smtpd} module. It is a server module which listens on a port. One way is to start it as root, let it bind to the port and drop all privilege before it does any other work. But root privilege is avoidable completely if \name{inetd} or a similar ``super-server'' listens on the port instead of the \name{smtpd} module, but invokes the module as a connection attempt to the port is made. The \name{smtpd} module needs no privilege at all this way.
    1.19 +In general is a sane permission management very important for secure software. The \name{principle of least privilege}, as it is often called, should be respected. If it is possible to use lower privilege then it should be done. An example for doing so is the \name{smtpd} module. It is a server module which listens on a port. One way is to start it as root, let it bind to the port, and drop all privilege before it does any other work. But root privilege is avoidable completely if \name{inetd} or one of its substitutes listens on the port instead of the \name{smtpd} module. The \name{smtpd} module gets launched by \name{inetd} to handle the connection when a connection attempt to the port is made. The \name{smtpd} module needs no privilege at all this way.
    1.20  
    1.21  
    1.22  
    1.23 -The important goal with privilege management is to prevent unauthorized users from modifying or damaging the system. Unauthorized users are especially attackers. What can happen if an attacker breaks into \masqmail?
    1.24 -
    1.25 -All revceiving modules communicate only with \name{queue-in} which puts new mail into the queue. They run as user \name{nobody}\footnote{\name{nobody} is on \unix\ systems usually the name for a system user with no privilege.} and write only to log files. Apart of during-\SMTP-dialog spam prevention is their funtionality straight forward: They talk the specific protocol to the sender, receive the message on this way, and pass it over to \name{queue-in}.
    1.26 -
    1.27 -The queue is only modified by \name{queue-in}, \name{scanning}, and \name{queue-out}. All of them need to run with either the owner or the group \name{masqmail}. The queue directories must be of owner and group \name{masqmail} and only readable and modifiable by them.
    1.28 -
    1.29 -%XXX
    1.30 -
    1.31 -%fixme
    1.32 -
    1.33 -
    1.34 -
    1.35 -
    1.36 -
    1.37 -
    1.38 -%Table \ref{tab:new-masqmail-permissions} shows the suggested ownership and permissions of the modules.
    1.39 -%
    1.40 -%\begin{table}
    1.41 -%	\begin{center}
    1.42 -%		\input{tbl/new-masqmail-permissions.tbl}
    1.43 -%	\end{center}
    1.44 -%	\caption{Ownership and permissions of the modules}
    1.45 -%	\label{tab:new-masqmail-permission}
    1.46 -%\end{table}
    1.47 -%
    1.48 -%These are the permissions and ownership used for the queue:
    1.49 -%\codeinput{input/new-masqmail-queue.txt}
    1.50 -
    1.51 -