docs/diploma

changeset 182:e35c7962d84f

wrote about spool file and permissions
author meillo@marmaro.de
date Sun, 28 Dec 2008 18:50:23 +0100 (2008-12-28)
parents 5dc8ad30760e
children dfe52fdbbed7
files thesis/input/new-masqmail-permissions.tex thesis/input/new-masqmail-queue.tex thesis/tex/4-MasqmailsFuture.tex
diffstat 3 files changed, 111 insertions(+), 15 deletions(-) [+]
line diff
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/thesis/input/new-masqmail-permissions.tex	Sun Dec 28 18:50:23 2008 +0100
     1.3 @@ -0,0 +1,23 @@
     1.4 +% new-masqmail-permissions
     1.5 +
     1.6 +\begin{tabular}[hbt]{| l || l | l |}
     1.7 +	\hline
     1.8 +	module & runs as owner:group & daemon \\
     1.9 +	\hline
    1.10 +	\hline
    1.11 +	sendmail & the invoking one & no \\
    1.12 +	\hline
    1.13 +	smtpd & root->nobody & yes (or via inetd) \\
    1.14 +	\hline
    1.15 +	queue-in & setgid masqmail & no \\
    1.16 +	\hline
    1.17 +	scanning & masqmail & yes \\
    1.18 +	\hline
    1.19 +	queue-out & masqmail & yes \\
    1.20 +	\hline
    1.21 +	pipe & masqmail & no \\
    1.22 +	\hline
    1.23 +	smtp & masqmail->nobody & no \\
    1.24 +	\hline
    1.25 +\end{tabular}
    1.26 +
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/thesis/input/new-masqmail-queue.tex	Sun Dec 28 18:50:23 2008 +0100
     2.3 @@ -0,0 +1,15 @@
     2.4 +% new-masqmail-queue
     2.5 +
     2.6 +\begin{verbatim}
     2.7 +$ tree -up /var/spool/masqmail
     2.8 +.
     2.9 +|-- [drwx------ masqmail]  incoming
    2.10 +|   `-- [-rwx------ masqmail]  1LGtAw-0pL-00
    2.11 +|-- [drwx------ masqmail]  outgoing
    2.12 +|   `-- [-rwx------ masqmail]  5TGi2t-0pA-01
    2.13 +`-- [drwx------ masqmail]  pool
    2.14 +    |-- [-rwx------ masqmail]  1LGtAw-0pL-00
    2.15 +    `-- [-rwx------ masqmail]  5TGi2t-0pA-01
    2.16 +
    2.17 +3 directories, 4 files
    2.18 +\end{verbatim}
     3.1 --- a/thesis/tex/4-MasqmailsFuture.tex	Sun Dec 28 18:48:52 2008 +0100
     3.2 +++ b/thesis/tex/4-MasqmailsFuture.tex	Sun Dec 28 18:50:23 2008 +0100
     3.3 @@ -179,6 +179,9 @@
     3.4  
     3.5  \MTA\ setups that include content scanning tend to require two separate queues. To use \sendmail\ in such setups requires two independent instances, with two separate queues, running. \exim\ can handle it with special \name{router} and \name{transport} rules, but the data flow gets complicated. Hence an idea is to use two queues, \name{incoming} and \name{active} in \postfix's terminology, with the content scanning within the move from \name{incoming} to \name{active}.
     3.6  
     3.7 +\sendmail, \exim, \qmail, and \masqmail\ all use at least two files to store one message in the queue: one file contains the message body, another the envelope and header information. The one containing the mail body is not modified at all. \postfix\ takes a different approach in storing queued messages in an internal format within one file. \person{Finch} takes yet another different approach in suggesting to store the whole queue in one single file with pointers to separating positions \cite{finchFIXME}.
     3.8 +%fixme: check, cite, and think about
     3.9 +
    3.10  
    3.11  
    3.12  \subsubsection*{Sanitize mail}
    3.13 @@ -413,6 +416,7 @@
    3.14  
    3.15  
    3.16  The \name{queue-in} module creates new spool files in the \name{incoming} queue for incoming messages. It is a process running in background, waiting for connections from one of the receiver modules. When one of them requests for a new spool file, the \name{queue-in} module opens one and returns a positive result. The receiver module then sends the envelope and message, which is written into the spool file by \name{queue-in}. If all went well, another positive result is returend.
    3.17 +%fixme: should be no daemon
    3.18  
    3.19  
    3.20  The \name{scanning} module is the central part of the system. It takes spooled messages from the \name{incoming} queue, works on them, and writes them to the \name{outgoing} queue afterwards (the message is then removed from the \name{incoming} queue, of course). The main job is the processing done on the message. Headers are fixed and missing ones are added if necessary, aliasing is done, and external processing of any kind is triggered. The \name{scanning} module can run in background and look for new mail in regular intvals or signals may be sent to it by \name{queue-in}. Alternatively it can be called by \name{cron}, for example, to do single runs.
    3.21 @@ -451,15 +455,18 @@
    3.22  
    3.23  % timing
    3.24  One dialog consists of the four phases: connection attempt, acceptance reply, data transfer, success reply. The order is always the same. The connection attempt and data transfer are sent by the client process; replies are sent by the server process.
    3.25 +%fixme: split between header and data
    3.26  
    3.27  % semantics
    3.28  The connection attempt is simply opening the connection. This starts the dialog. A positive reply by the server leads to the data transfer, but a negative reply refuses the connection and resets both client and server to the state before the connection attempt. If the connection attempt was accepted, the client sends the data ending with a terminator sequence. When this terminator appears, the server process knows the complete data was transfered. The server process takes responsibility of the data in sending a positive success reply. A negative success reply resets both client and server to the state before the connection attempt.
    3.29  
    3.30  The data transfered needs to be of specific format. Used is the same format in which messages are spooled in the mail queues. See the following section for details. %fixme: check if it is the following section
    3.31 +%fixme: split between header and data
    3.32  
    3.33  % syntax
    3.34  Data transfer is done sending plain text data. %fixme: utf8 ?
    3.35 -The terminator sequence used to indicate the end of the data transfer is a single dot on a line on its own. Line separators are the combination of \name{New Line} and \name{Carriage Return}, as it is used in various Internet protocols like \SMTP. Replys are one-digit numbers with \texttt{0} meaning success and any other number (\texttt{1}--\texttt{9}) indicate failure. %fixme: is it NL-CR or CR-NL? What are the octal values?
    3.36 +The terminator sequence used to indicate the end of the data transfer is a single dot on a line on its own. Line separators are the combination of \name{Carriage Return} and \name{Line Feed}, as it is used in various Internet protocols like \SMTP. Replys are one-digit numbers with \texttt{0} meaning success and any other number (\texttt{1}--\texttt{9}) indicate failure. %fixme: What are the octal values?
    3.37 +%fixme: split between header and data
    3.38  
    3.39  Figure \ref{fig:ipc-protocol} is a state diagram for the protocol.
    3.40  
    3.41 @@ -467,34 +474,85 @@
    3.42  
    3.43  \subsection{Spool file format}
    3.44  
    3.45 -<< talk about fanf >>
    3.46 +The spool file format is basically the same as the one in current \masqmail: one file for the message body, the other for envelope and header information. The data file is stored in a separate data pool. It is written by \name{queue-in}, \name{scanning} can read it if necessary, \name{queue-out} reads it to generate the outgoing message, and deletes it after successful transfer. The header file (including the envelope) is written into the \name{incoming} queue. The \name{scanning} modules reads it, processes it, and writes a modified copy into the \name{outgoing} queue; the file in \name{incoming} is deleted then. \name{queue-out} finally takes the header file from \name{outgoing} to generate the resulting message. This data flow is shown in figure \ref{fig:queue-data-flow}.
    3.47  
    3.48 -<< inode stuff of qmail >>
    3.49 +\begin{figure}
    3.50 +	\begin{center}
    3.51 +		\input{input/queue-data-flow.tex}
    3.52 +	\end{center}
    3.53 +	\caption{Data flow of messages in the queue}
    3.54 +	\label{fig:queue-data-flow}
    3.55 +\end{figure}
    3.56  
    3.57 -<< keep it simple! >>
    3.58 +The queue consists of three directories within the queue path. Two, named \name{incoming} and \name{outgoing}, for storing the header files; one, called \name{pool}, to store the message bodies. The files being part of one message share the same unique name. The header files internal structure can be the same as the one of current \masqmail.
    3.59  
    3.60 +Messages in queues are a header file in \name{incoming} or \name{outgoing} and a data file in \name{pool}. The header file owner's executable bit indicates if the file is ready for further processing: the module that writes the file into the queue sets the bit as last action. Modules that read from the queue can process messages with the bit set.
    3.61 +
    3.62 +No spool files are modified after they are written to disk. Modifications to header files can be made by the \name{scanning} module in the ``move'' from \name{incoming} to \name{outgoing}---it is a create and remove, actually. Further rewriting can happen in \name{queue-out}, as well without altering the file.
    3.63 +
    3.64 +Data files do not change at all within the system. They are written in default local plain text format. Required translation is done in the receiver and transport modules.
    3.65 +
    3.66 +
    3.67 +%\begin{verbatim}
    3.68 +%s f /          envelope data
    3.69 +%p i |          NL
    3.70 +%o l |       /  header lines
    3.71 +%o e |  mail |  NL
    3.72 +%l   \       \  mail body
    3.73 +%\end{verbatim}
    3.74 +
    3.75 +A sample header file.
    3.76  \begin{verbatim}
    3.77 -s f /          envelope data
    3.78 -p i |          NL
    3.79 -o l |       /  header lines
    3.80 -o e |  mail |  NL
    3.81 -l   \       \  mail body
    3.82 +1LGtYh-0ut-00                (backup copy of the file name)
    3.83 +MF:<meillo@dream>            (envelope: sender)
    3.84 +RT: <user@example.org>       (envelope: recipient)
    3.85 +PR:local                     (meta info: protocol)
    3.86 +ID:meillo                    (meta info: id/user/ip)
    3.87 +DS: 18                       (meta info: size)
    3.88 +TR: 1230462707               (meta info: timestamp)
    3.89 +                             (following: headers)
    3.90 +HD:Received: from meillo by dream with local (masqmail 0.2.21) id
    3.91 + 1LGtYh-0ut-00 for <user@example.org>; Sun, 28 Dec 2008 12:11:47 +0100
    3.92 +HD:To: user@example.org
    3.93 +HD:Subject: test mail
    3.94 +HD:From: <meillo@dream>
    3.95 +HD:Date: Sun, 28 Dec 2008 12:11:47 +0100
    3.96 +HD:Message-ID: <1LGtYh-0ut-00@dream>
    3.97  \end{verbatim}
    3.98  
    3.99  
   3.100  
   3.101 +
   3.102  \subsection{Rights and permission}
   3.103  
   3.104 +The user set required for \qmail\ seems to be too complex. One special user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission is avoided as much as possible.
   3.105 +
   3.106 +Table \ref{tab:new-masqmail-permissions} shows the suggested ownership and permissions of the modules. Figure \ref{fig:new-masqmail-queue} shows the permissions and ownership used for the queue.
   3.107 +
   3.108 +\begin{table}
   3.109 +	\begin{center}
   3.110 +		\input{input/new-masqmail-permissions.tex}
   3.111 +	\end{center}
   3.112 +	\caption{Ownership and permissions of the modules}
   3.113 +	\label{tab:new-masqmail-permission}
   3.114 +\end{table}
   3.115 +
   3.116 +\begin{figure}
   3.117 +	\begin{center}
   3.118 +		\input{input/new-masqmail-queue.tex}
   3.119 +	\end{center}
   3.120 +	\caption{Ownership and permissions of the queue}
   3.121 +	\label{fig:new-masqmail-queue}
   3.122 +\end{figure}
   3.123 +
   3.124 +
   3.125 +
   3.126 +
   3.127 +
   3.128  setuid/setgid or not?
   3.129  
   3.130 -how many system users?
   3.131 -
   3.132 -what permission where?
   3.133 -
   3.134  what can crash if an attacker succeeds?
   3.135  
   3.136 -which process runs with what rights?
   3.137 -
   3.138  where to drop privelege?
   3.139  
   3.140  how is which process invoked?