1.1 --- a/thesis/tex/5-Improvements.tex	Mon Jan 26 16:01:34 2009 +0100
     1.2 +++ b/thesis/tex/5-Improvements.tex	Mon Jan 26 23:17:52 2009 +0100
     1.3 @@ -428,7 +428,9 @@
     1.4  
     1.5  
     1.6  
     1.7 -\subsubsection*{Rights and permission}
     1.8 +\subsubsection*{Rights and permission} %fixme: singular, plural?
     1.9 +
    1.10 +This section leaves quite a few questions open. It is more a discussion on the topic. More information needs to be collected and further studies of the situations in existing \MTA{}s should be made. %fixme: this sentence at the end?
    1.11  
    1.12  The set of system users that is required for \qmail\ seems to be too complex for \masqmail. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission should to be avoided as feasible.
    1.13  
    1.14 @@ -442,22 +444,23 @@
    1.15  \person{Bernstein} chose \name{setuid} for the \name{qmail-queue} module, \person{Venema} uses \name{setgid} in \postfix, the differences are small. But each of them is better than running the module as a deamon. A deamon needs more resources and therefore become inefficient on systems with low mail amount like the ones \masqmail\ will probably run on. Short running processes are additionally higher obstacles for intruders because if an intruder managed to take one over it will die soon.
    1.16  
    1.17  
    1.18 -\subsubsection*{Daemon processes}
    1.19 +The modules \name{scanning} and \name{queue-out} are candidates for all-time running daemon processes. But they could also get periodically started by \name{cron}. Another possibility is to run a master process as daemon which starts and restarts the system parts. \postfix\ has such a master process, \qmail\ lacks it. The jobs of a master process can be done by the other tools of the operating system too, thus making the master process abdicable. \masqmail\ does probably better go without a master process because it aims to save resources, not to get the best performance.
    1.20  
    1.21 -The modules \name{scanning} and \name{queue-out} are candidates for all-time running processes. But they could also get periodically started by \name{cron}.
    1.22  
    1.23 -how is which process invoked?
    1.24 +In general is a sane permission management very important for secure software. The \name{principle of least privilege}, as it is often called, should be respected. If it is possible to use lower privilege then it should be done. An example for doing so is the \name{smtpd} module. It is a server module which listens on a port. One way is to start it as root, let it bind to the port and drop all privilege before it does any other work. But root privilege is avoidable completely if \name{inetd} or a similar ``super-server'' listens on the port instead of the \name{smtpd} module, but invokes the module as a connection attempt to the port is made. The \name{smtpd} module needs no privilege at all this way.
    1.25  
    1.26  
    1.27  
    1.28 -master process? needed, or wanted?
    1.29 +The important goal with privilege management is to prevent unauthorized users from modifying or damaging the system. Unauthorized users are especially attackers. What can happen if an attacker breaks into \masqmail?
    1.30  
    1.31 +All revceiving modules communicate only with \name{queue-in} which puts new mail into the queue. They run as user \name{nobody}\footnote{\name{nobody} is on \unix\ systems usually the name for a system user with no privilege.} and write only to log files. Apart of during-\SMTP-dialog spam prevention is their funtionality straight forward: They talk the specific protocol to the sender, receive the message on this way, and pass it over to \name{queue-in}.
    1.32  
    1.33 +The queue is only modified by \name{queue-in}, \name{scanning}, and \name{queue-out}. All of them need to run with either the owner or the group \name{masqmail}. The queue directories must be of owner and group \name{masqmail} and only readable and modifiable by them.
    1.34  
    1.35 -where to drop privilege? needed?
    1.36 +%XXX
    1.37  
    1.38 +%fixme
    1.39  
    1.40 -what can crash if an attacker succeeds?
    1.41  
    1.42  
    1.43