Re: [OFFTOPIC] Re: [PATCH] Single user linux
Tomas Telensky wrote: >But, what I should say to the network security, is that AFAIK in the most >of linux distributions the standard daemons (httpd, sendmail) are run as >root! Having multi-user system or not! Why? For only listening to a port ><1024? Is there any elegant solution? > Yes, most daemons have the ability to switch user ID once they have bound tho the port. Additionally, support is starting to show up for capabilities. I know that ProFTPD has support. Now, assuming it is running on a newer kernel, it never needs to be root, because it has been granted the capability to open a low port. Even if it is cracked, it cannot do other things like . . . insert a kernel module, . . . overwrite /etc/passwd . . . . . etc -b -- Three things are certain: Death, taxes, and lost data Guess which has occurred. - - - - - - - - - - - - - - - - - - - - Patched Micro$oft servers are secure today . . . but tomorrow is another story! - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Tomas Telensky wrote: > > But, what I should say to the network security, is that AFAIK in the most > of linux distributions the standard daemons (httpd, sendmail) are run as > root! Having multi-user system or not! Why? For only listening to a port > <1024? Is there any elegant solution? > httpd as root ? that's what i call a clueless network admin. sendmail has an OBSOLETE design. Use a good MTA like qmail. Exim or smail are ok, but they're still "sendmailish". David Gómez "The question of whether computers can think is just like the question of whether submarines can swim." -- Edsger W. Dijkstra - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
Hello, On Tue, 24 Apr 2001, Alan Cox wrote: > > Now, in order for step 4 to be done safely, procmail should be running > > as the user it's meant to deliver the mail for. for this to happen > > sendmail needs to start it as that user in step 3 and to do that it > > needs extra privs, above and beyond that of a normal user. > > email -> sendmail > sendmail 'its local' -> spool > > user: > get_mail | procmail > mutt > > The mail server doesnt need to run procmail. If you wanted to run mail batches > through on a regular basis you can use cron for it, or leave a daemon running Oh, well, cron is just another suid program. This example would just be the ideal scenario for posix- or novell-style ACLs in the filesystem. You run the MDA/MTA under some mailerdaemon uid. And then a user can explicitly give this daemon read access to .procmail etc. You can also give the MTA (and nobody else) write access to /var/spool/mail. The MDA then gives the specifical user full access to the spoolfile when creating it, or adding mail to it. And the user can fetch his mail and truncate or delete the file just as he and his software is used to. There are much more things with ACLs, especially in workgroup environments (That's why I loved the old Novel server in our university), but they never got into the kernel. And as far as I (as a non-hacker) understand, the fields reserved for this feature were dropped for the large file support, so we may never see ACLs. Gruß, Markus -- | Gluecklich ist, wer vergisst, was nicht aus ihm geworden ist. +---. ,> http://www.uni-ulm.de/~s_mschab/ \ / mailto:[EMAIL PROTECTED] \_/ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
> And get_mail must have elevated privileges to search for the users mail...
> or sendmail must have already switched user on reciept to put it in the
> users inbox which also requires privleges...
No. Think instead of blindly following existing implementation
socket(AF_UNIX, SOCK_STREAM, 0);
connect("/var/run/mailservice");
write("GIMMEMYMAIL\n");
read("200 CATCH..");
read(all my mail)
The daemon needs no priviledge. The client needs no priviledge. The
PEERCRED authentication on AF_UNIX sockets does the work. I can even pass you
back the file handle of the mailbox if I was using an old style non database
indexed mail spool.
> It's much more efficent to process each mail as it arrives.
You are doing a lot more exec() calls that way. If you get enough mail
to make spool space an issue you want a daemon.
Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
- Received message begins Here - > > > 1. email -> sendmail > > 2. sendmail figures out what it has to do with it. turns out it's deliver > ... > > > Now, in order for step 4 to be done safely, procmail should be running > > as the user it's meant to deliver the mail for. for this to happen > > sendmail needs to start it as that user in step 3 and to do that it > > needs extra privs, above and beyond that of a normal user. > > email -> sendmail > sendmail 'its local' -> spool > > user: > get_mail | procmail > mutt > > The mail server doesnt need to run procmail. If you wanted to run mail batches > through on a regular basis you can use cron for it, or leave a daemon running And get_mail must have elevated privileges to search for the users mail... or sendmail must have already switched user on reciept to put it in the users inbox which also requires privleges... And an additional daemon (owned by the user) is yet another attack point... Cron could be used to batch message handling... as long as it runs before the users quota is used up. This becomes the same as using IMAP or fetchmail to download it. It's much more efficent to process each mail as it arrives. All this does is move the program that requires privileges to somewhere else. It doesn't eliminate it. Granted, sendmail could use a better implementation of a security model. - Jesse I Pollard, II Email: [EMAIL PROTECTED] Any opinions expressed are solely my own. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 04:53:10PM +0100, Alan Cox wrote: > > 1. email -> sendmail > > 2. sendmail figures out what it has to do with it. turns out it's deliver > ... > > > Now, in order for step 4 to be done safely, procmail should be running > > as the user it's meant to deliver the mail for. for this to happen > > sendmail needs to start it as that user in step 3 and to do that it > > needs extra privs, above and beyond that of a normal user. > > email -> sendmail > sendmail 'its local' -> spool Isn't this a good thing to have spam filtered out before it will be written in spool? Alex Riesen - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
> 1. email -> sendmail > 2. sendmail figures out what it has to do with it. turns out it's deliver ... > Now, in order for step 4 to be done safely, procmail should be running > as the user it's meant to deliver the mail for. for this to happen > sendmail needs to start it as that user in step 3 and to do that it > needs extra privs, above and beyond that of a normal user. email -> sendmail sendmail 'its local' -> spool user: get_mail | procmail mutt The mail server doesnt need to run procmail. If you wanted to run mail batches through on a regular basis you can use cron for it, or leave a daemon running - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Wed, 25 Apr 2001, CaT wrote: > On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote: > > > use port 2525 as SMTP port in your MTA. I've succeed to setup such a > > > configuration. > > > > This requires you to ensure that your MTA is started first on that > > port...Might be difficult to achieve reliably in an automatic way > > without root privileges :-( > > > > mailuser@foo% /etc/rc.d/init.d/sendmail stop > > badguy@foo% ./suck 2525 > > mailuser@foo% /etc/rc.d/init.d/sendmail start > > Not necessarily. While I have no yet used the feature, iptables > permits firewalling on userid. I presume this includes wether or man iptables. > not a program can listen on a port, right? (and all the other > fun things). > > If so then all you'd have to do is deny external access to port 2525 > and only permit mailuser to listen etc on it and you're set. For this to work, you need to hack up iptables on the mail server itself as -m owner only works for locally generated packets. And even then ./suck will receive on 2525 but will not be able to reply. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 03:59:28PM +0100, Alan Cox wrote: > What is this gid mail crap ? You don't need priviledge. You get the mail by > asking the daemon for it. procmail needs no priviledge either if it is done > right. > > You just need to think about the security models in the right way. Linux gives > you the ability to do authenticated uid/gid checking over a socket connection. > That is an incredibly powerful model for real compartmentalisation. Ok. My experience isn't all that great so I may well be missing something here. But what? 1. email -> sendmail 2. sendmail figures out what it has to do with it. turns out it's deliver it locally for user blah 3. sendmail starts procmail so that it delivers the email. 4. procmail goes through the recepie list for user blah and eventually delivers the email (one way or another) Now, in order for step 4 to be done safely, procmail should be running as the user it's meant to deliver the mail for. for this to happen sendmail needs to start it as that user in step 3 and to do that it needs extra privs, above and beyond that of a normal user. Now as I said, I'm not a UNIX God[tm] and so I may well be missing something vital. If so, what is it? This sounds like something that would be way useful to learn. :) -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. speaking of mental giants.. me, a giant, bullshit And i'm not mental - An IRC session, 20/12/2000 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
Tomas Telensky <[EMAIL PROTECTED]> > On Tue, 24 Apr 2001, Alexander Viro wrote: > > On Tue, 24 Apr 2001, Tomas Telensky wrote: > > > > > of linux distributions the standard daemons (httpd, sendmail) are run as > > > root! Having multi-user system or not! Why? For only listening to a port > > > <1024? Is there any elegant solution? > > > > Sendmail is old. Consider it as a remnant of times when network was > > more... friendly. Security considerations were mostly ignored - and > > not only by sendmail. It used to be choke-full of holes. They were > > essentially debugged out of it in late 90s. It seems to be more or > > less OK these days, but it's full of old cruft. And splitting the > > thing into reasonable parts and leaving them with minaml privileges > > they need is large and painful work. Actually, if you view sendmail as being an expert system it is very cutting edge :-) It can identify a user from very skimpy data if it is allowed to (fuzzy matching user names). It identifies local hosts (with FQDN or partial name, or only host name). > Thanks for the comment. And why not just let it listen to 25 and then > being run as uid=nobody, gid=mail? Because then everybodys mail would be owned by user "nobody". There are some ways to do this, but they are unreliable. 1. If the users mail is delivered to /var/mail/; then the file /var/mail/ must always exist. This requires ALL MUAs to truncate the file. Some MUAs use file existance to determine if there is new mail. If it doesn't exist, then no new mail... ever. 2. sendmail will not be able to create the /var/mail/ mail box. 3. sendmail will not be able to process forwarding mail. User nobody should not be able to read files in users home directory... .forward files are private to the user... 4. sendmail will not be able to process user mail filters (same problem as forwarding). Note: these filters are applied on receipt of mail (saves time and disk space since the filter can discard mail immediately or put it in appropriate folders immediately). - Jesse I Pollard, II Email: [EMAIL PROTECTED] Any opinions expressed are solely my own. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote: > > use port 2525 as SMTP port in your MTA. I've succeed to setup such a > > configuration. > > This requires you to ensure that your MTA is started first on that > port...Might be difficult to achieve reliably in an automatic way > without root privileges :-( > > mailuser@foo% /etc/rc.d/init.d/sendmail stop > badguy@foo% ./suck 2525 > mailuser@foo% /etc/rc.d/init.d/sendmail start Not necessarily. While I have no yet used the feature, iptables permits firewalling on userid. I presume this includes wether or not a program can listen on a port, right? (and all the other fun things). If so then all you'd have to do is deny external access to port 2525 and only permit mailuser to listen etc on it and you're set. -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. speaking of mental giants.. me, a giant, bullshit And i'm not mental - An IRC session, 20/12/2000 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote: > On Tue, 24 Apr 2001, [iso-8859-2] Gábor Lénárt wrote: > > > > Or even without xinetd. Just use local port forwarding eg 2525 -> 25, and > > This is more like 25 -> 2525 :-) OK, that was a hard night for me, I need some sleep :) > > use port 2525 as SMTP port in your MTA. I've succeed to setup such a > > configuration. > > This requires you to ensure that your MTA is started first on that > port...Might be difficult to achieve reliably in an automatic way > without root privileges :-( > > mailuser@foo% /etc/rc.d/init.d/sendmail stop > badguy@foo% ./suck 2525 > mailuser@foo% /etc/rc.d/init.d/sendmail start Yes, you're right. But this is a mail server without any user on it (even users are authenticated from LDAP). -- --[ Gábor Lénárt ]---[ Vivendi Telecom Hungary ]-[ [EMAIL PROTECTED] ]-- U have 8 bit comp or chip of them and it's unused or to be sold? Call me! ---[ +36 30 2270823 ]--> LGB <-[ Linux/UNIX/8bit 4ever ]- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
> I've always found the root < 1024 to be quite limmited and find myself > wishing I could assign permissions based on ip/port. Its been done. Search for 'sockfs' I believe it was called. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
> > Copying spool articles matching the peercred to the client does not > > Running procmail as the user who is to receive the email for local mail > delivery as running it with gid mail (for eg) would allow one user to > modify another's mail. What is this gid mail crap ? You don't need priviledge. You get the mail by asking the daemon for it. procmail needs no priviledge either if it is done right. You just need to think about the security models in the right way. Linux gives you the ability to do authenticated uid/gid checking over a socket connection. That is an incredibly powerful model for real compartmentalisation. Alan - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Alan Cox wrote: > > On Tue, 24 Apr 2001, Mohammad A. Haque wrote: > > > Correct. <1024 requires root to bind to the port. > > ... And nothing says that it should be done by daemon itself. > > Or that you shouldnt let inetd do it for you > And that you shouldn't drop the capabilities except that bind > > It is possible to implement the entire mail system without anything running > as root but xinetd. > Qmail does exactly this afik. I've always found the root < 1024 to be quite limmited and find myself wishing I could assign permissions based on ip/port. Gerhard -- Gerhard Mack [EMAIL PROTECTED] <>< As a computer I find your faith in technology amusing. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 03:37:34PM +0100, Alan Cox wrote: > What role requires priviledge once the port is open ? > > DNS lookup does not > Spooling to disk does not > Accepting a connection from a client does not > Doing peercred auth with a client does not > Copying spool articles matching the peercred to the client does not Running procmail as the user who is to receive the email for local mail delivery as running it with gid mail (for eg) would allow one user to modify another's mail. (just a thought - the above's valid with sendmail at least) -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. speaking of mental giants.. me, a giant, bullshit And i'm not mental - An IRC session, 20/12/2000 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, [iso-8859-2] Gábor Lénárt wrote: > > Or even without xinetd. Just use local port forwarding eg 2525 -> 25, and This is more like 25 -> 2525 :-) > use port 2525 as SMTP port in your MTA. I've succeed to setup such a > configuration. This requires you to ensure that your MTA is started first on that port...Might be difficult to achieve reliably in an automatic way without root privileges :-( mailuser@foo% /etc/rc.d/init.d/sendmail stop badguy@foo% ./suck 2525 mailuser@foo% /etc/rc.d/init.d/sendmail start ... - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Alan Cox wrote: > > > It is possible to implement the entire mail system without anything running > > > as root but xinetd. > > > > You want an MDA with elevated privileges, though... ^ > What role requires priviledge once the port is open ? .forward handling may, depending on how much do you want to put into it. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
> > It is possible to implement the entire mail system without anything running > > as root but xinetd. > > You want an MDA with elevated privileges, though... What role requires priviledge once the port is open ? DNS lookup does not Spooling to disk does not Accepting a connection from a client does not Doing peercred auth with a client does not Copying spool articles matching the peercred to the client does not Alan - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 03:18:11PM +0100, Alan Cox wrote: > > On Tue, 24 Apr 2001, Mohammad A. Haque wrote: > > > Correct. <1024 requires root to bind to the port. > > ... And nothing says that it should be done by daemon itself. > > Or that you shouldnt let inetd do it for you > And that you shouldn't drop the capabilities except that bind > > It is possible to implement the entire mail system without anything running > as root but xinetd. Or even without xinetd. Just use local port forwarding eg 2525 -> 25, and use port 2525 as SMTP port in your MTA. I've succeed to setup such a configuration. -- --[ Gábor Lénárt ]---[ Vivendi Telecom Hungary ]-[ [EMAIL PROTECTED] ]-- U have 8 bit comp or chip of them and it's unused or to be sold? Call me! ---[ +36 30 2270823 ]--> LGB <-[ Linux/UNIX/8bit 4ever ]- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Alan Cox wrote: > > On Tue, 24 Apr 2001, Mohammad A. Haque wrote: > > > Correct. <1024 requires root to bind to the port. > > ... And nothing says that it should be done by daemon itself. > > Or that you shouldnt let inetd do it for you > And that you shouldn't drop the capabilities except that bind > > It is possible to implement the entire mail system without anything running > as root but xinetd. You want an MDA with elevated privileges, though... - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
> On Tue, 24 Apr 2001, Mohammad A. Haque wrote: > > Correct. <1024 requires root to bind to the port. > ... And nothing says that it should be done by daemon itself. Or that you shouldnt let inetd do it for you And that you shouldn't drop the capabilities except that bind It is possible to implement the entire mail system without anything running as root but xinetd. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Tomas Telensky wrote: > Thanks for the comment. And why not just let it listen to 25 and then > being run as uid=nobody, gid=mail? Handling of .forward, for one thing. Or pipe aliases, or... None of this stuff is unsolvable (e.g. handling of .forward belongs to MDA, not MTA), but changing that will break existing setups. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Alexander Viro wrote: > > > On Tue, 24 Apr 2001, Tomas Telensky wrote: > > > of linux distributions the standard daemons (httpd, sendmail) are run as > > root! Having multi-user system or not! Why? For only listening to a port > > <1024? Is there any elegant solution? > > Sendmail is old. Consider it as a remnant of times when network was > more... friendly. Security considerations were mostly ignored - and > not only by sendmail. It used to be choke-full of holes. They were > essentially debugged out of it in late 90s. It seems to be more or > less OK these days, but it's full of old cruft. And splitting the > thing into reasonable parts and leaving them with minaml privileges > they need is large and painful work. Thanks for the comment. And why not just let it listen to 25 and then being run as uid=nobody, gid=mail? Tomas > > There are alternatives (e.g. exim, or two unmentionable ones) that are > cleaner. Besides, there are some, erm, half-promises that next major > release of sendmail may be a big cleanup. Hell knows what will come out > of that. > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Mohammad A. Haque wrote: > Correct. <1024 requires root to bind to the port. ... And nothing says that it should be done by daemon itself. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Tomas Telensky wrote: > of linux distributions the standard daemons (httpd, sendmail) are run as > root! Having multi-user system or not! Why? For only listening to a port > <1024? Is there any elegant solution? Sendmail is old. Consider it as a remnant of times when network was more... friendly. Security considerations were mostly ignored - and not only by sendmail. It used to be choke-full of holes. They were essentially debugged out of it in late 90s. It seems to be more or less OK these days, but it's full of old cruft. And splitting the thing into reasonable parts and leaving them with minaml privileges they need is large and painful work. There are alternatives (e.g. exim, or two unmentionable ones) that are cleaner. Besides, there are some, erm, half-promises that next major release of sendmail may be a big cleanup. Hell knows what will come out of that. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Tomas Telensky wrote: > :-) Great. > You and Alex are right - I agree that this is a complete moronism. > > But, what I should say to the network security, is that AFAIK in the most > of linux distributions the standard daemons (httpd, sendmail) are run as > root! Having multi-user system or not! Why? For only listening to a port > <1024? Is there any elegant solution? If your distro is runnign httpd as root you may want to give them a nice swift kick in the behind. By default apache is configured to run as nobody. Dunno about sendmail. Correct. <1024 requires root to bind to the port. -- = Mohammad A. Haque http://www.haque.net/ [EMAIL PROTECTED] "Alcohol and calculus don't mix. Project Lead Don't drink and derive." --Unknown http://wm.themes.org/ [EMAIL PROTECTED] = - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
> > trustix.co.id? hehehe. > > If you don't want to login with user/password, then change your > password to "". Don't want to even do that? Then just change > /etc/inittab to invoke "login -f username" instead of mingetty or > whatever. No need at all to hack the kernel up. > > Dunno why you sent the patch here or to Linus though.. The > chance of it even being looked at are about 1/2^infinity ;o) :-) Great. You and Alex are right - I agree that this is a complete moronism. But, what I should say to the network security, is that AFAIK in the most of linux distributions the standard daemons (httpd, sendmail) are run as root! Having multi-user system or not! Why? For only listening to a port <1024? Is there any elegant solution? Tomas - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Tomas Telensky wrote: :-) Great. You and Alex are right - I agree that this is a complete moronism. But, what I should say to the network security, is that AFAIK in the most of linux distributions the standard daemons (httpd, sendmail) are run as root! Having multi-user system or not! Why? For only listening to a port 1024? Is there any elegant solution? If your distro is runnign httpd as root you may want to give them a nice swift kick in the behind. By default apache is configured to run as nobody. Dunno about sendmail. Correct. 1024 requires root to bind to the port. -- = Mohammad A. Haque http://www.haque.net/ [EMAIL PROTECTED] Alcohol and calculus don't mix. Project Lead Don't drink and derive. --Unknown http://wm.themes.org/ [EMAIL PROTECTED] = - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Tomas Telensky wrote: of linux distributions the standard daemons (httpd, sendmail) are run as root! Having multi-user system or not! Why? For only listening to a port 1024? Is there any elegant solution? Sendmail is old. Consider it as a remnant of times when network was more... friendly. Security considerations were mostly ignored - and not only by sendmail. It used to be choke-full of holes. They were essentially debugged out of it in late 90s. It seems to be more or less OK these days, but it's full of old cruft. And splitting the thing into reasonable parts and leaving them with minaml privileges they need is large and painful work. There are alternatives (e.g. exim, or two unmentionable ones) that are cleaner. Besides, there are some, erm, half-promises that next major release of sendmail may be a big cleanup. Hell knows what will come out of that. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Mohammad A. Haque wrote: Correct. 1024 requires root to bind to the port. ... And nothing says that it should be done by daemon itself. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Alexander Viro wrote: On Tue, 24 Apr 2001, Tomas Telensky wrote: of linux distributions the standard daemons (httpd, sendmail) are run as root! Having multi-user system or not! Why? For only listening to a port 1024? Is there any elegant solution? Sendmail is old. Consider it as a remnant of times when network was more... friendly. Security considerations were mostly ignored - and not only by sendmail. It used to be choke-full of holes. They were essentially debugged out of it in late 90s. It seems to be more or less OK these days, but it's full of old cruft. And splitting the thing into reasonable parts and leaving them with minaml privileges they need is large and painful work. Thanks for the comment. And why not just let it listen to 25 and then being run as uid=nobody, gid=mail? Tomas There are alternatives (e.g. exim, or two unmentionable ones) that are cleaner. Besides, there are some, erm, half-promises that next major release of sendmail may be a big cleanup. Hell knows what will come out of that. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Tomas Telensky wrote: Thanks for the comment. And why not just let it listen to 25 and then being run as uid=nobody, gid=mail? Handling of .forward, for one thing. Or pipe aliases, or... None of this stuff is unsolvable (e.g. handling of .forward belongs to MDA, not MTA), but changing that will break existing setups. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Mohammad A. Haque wrote: Correct. 1024 requires root to bind to the port. ... And nothing says that it should be done by daemon itself. Or that you shouldnt let inetd do it for you And that you shouldn't drop the capabilities except that bind It is possible to implement the entire mail system without anything running as root but xinetd. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Alan Cox wrote: On Tue, 24 Apr 2001, Mohammad A. Haque wrote: Correct. 1024 requires root to bind to the port. ... And nothing says that it should be done by daemon itself. Or that you shouldnt let inetd do it for you And that you shouldn't drop the capabilities except that bind It is possible to implement the entire mail system without anything running as root but xinetd. You want an MDA with elevated privileges, though... - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 03:18:11PM +0100, Alan Cox wrote: On Tue, 24 Apr 2001, Mohammad A. Haque wrote: Correct. 1024 requires root to bind to the port. ... And nothing says that it should be done by daemon itself. Or that you shouldnt let inetd do it for you And that you shouldn't drop the capabilities except that bind It is possible to implement the entire mail system without anything running as root but xinetd. Or even without xinetd. Just use local port forwarding eg 2525 - 25, and use port 2525 as SMTP port in your MTA. I've succeed to setup such a configuration. -- --[ Gbor Lnrt ]---[ Vivendi Telecom Hungary ]-[ [EMAIL PROTECTED] ]-- U have 8 bit comp or chip of them and it's unused or to be sold? Call me! ---[ +36 30 2270823 ]-- LGB -[ Linux/UNIX/8bit 4ever ]- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Alan Cox wrote: It is possible to implement the entire mail system without anything running as root but xinetd. You want an MDA with elevated privileges, though... ^ What role requires priviledge once the port is open ? .forward handling may, depending on how much do you want to put into it. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
It is possible to implement the entire mail system without anything running as root but xinetd. You want an MDA with elevated privileges, though... What role requires priviledge once the port is open ? DNS lookup does not Spooling to disk does not Accepting a connection from a client does not Doing peercred auth with a client does not Copying spool articles matching the peercred to the client does not Alan - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, [iso-8859-2] Gábor Lénárt wrote: Or even without xinetd. Just use local port forwarding eg 2525 - 25, and This is more like 25 - 2525 :-) use port 2525 as SMTP port in your MTA. I've succeed to setup such a configuration. This requires you to ensure that your MTA is started first on that port...Might be difficult to achieve reliably in an automatic way without root privileges :-( mailuser@foo% /etc/rc.d/init.d/sendmail stop badguy@foo% ./suck 2525 mailuser@foo% /etc/rc.d/init.d/sendmail start ... - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Alan Cox wrote: On Tue, 24 Apr 2001, Mohammad A. Haque wrote: Correct. 1024 requires root to bind to the port. ... And nothing says that it should be done by daemon itself. Or that you shouldnt let inetd do it for you And that you shouldn't drop the capabilities except that bind It is possible to implement the entire mail system without anything running as root but xinetd. Qmail does exactly this afik. I've always found the root 1024 to be quite limmited and find myself wishing I could assign permissions based on ip/port. Gerhard -- Gerhard Mack [EMAIL PROTECTED] As a computer I find your faith in technology amusing. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 03:37:34PM +0100, Alan Cox wrote: What role requires priviledge once the port is open ? DNS lookup does not Spooling to disk does not Accepting a connection from a client does not Doing peercred auth with a client does not Copying spool articles matching the peercred to the client does not Running procmail as the user who is to receive the email for local mail delivery as running it with gid mail (for eg) would allow one user to modify another's mail. (just a thought - the above's valid with sendmail at least) -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
Copying spool articles matching the peercred to the client does not Running procmail as the user who is to receive the email for local mail delivery as running it with gid mail (for eg) would allow one user to modify another's mail. What is this gid mail crap ? You don't need priviledge. You get the mail by asking the daemon for it. procmail needs no priviledge either if it is done right. You just need to think about the security models in the right way. Linux gives you the ability to do authenticated uid/gid checking over a socket connection. That is an incredibly powerful model for real compartmentalisation. Alan - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
I've always found the root 1024 to be quite limmited and find myself wishing I could assign permissions based on ip/port. Its been done. Search for 'sockfs' I believe it was called. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote: On Tue, 24 Apr 2001, [iso-8859-2] Gbor Lnrt wrote: Or even without xinetd. Just use local port forwarding eg 2525 - 25, and This is more like 25 - 2525 :-) OK, that was a hard night for me, I need some sleep :) use port 2525 as SMTP port in your MTA. I've succeed to setup such a configuration. This requires you to ensure that your MTA is started first on that port...Might be difficult to achieve reliably in an automatic way without root privileges :-( mailuser@foo% /etc/rc.d/init.d/sendmail stop badguy@foo% ./suck 2525 mailuser@foo% /etc/rc.d/init.d/sendmail start Yes, you're right. But this is a mail server without any user on it (even users are authenticated from LDAP). -- --[ Gbor Lnrt ]---[ Vivendi Telecom Hungary ]-[ [EMAIL PROTECTED] ]-- U have 8 bit comp or chip of them and it's unused or to be sold? Call me! ---[ +36 30 2270823 ]-- LGB -[ Linux/UNIX/8bit 4ever ]- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote: use port 2525 as SMTP port in your MTA. I've succeed to setup such a configuration. This requires you to ensure that your MTA is started first on that port...Might be difficult to achieve reliably in an automatic way without root privileges :-( mailuser@foo% /etc/rc.d/init.d/sendmail stop badguy@foo% ./suck 2525 mailuser@foo% /etc/rc.d/init.d/sendmail start Not necessarily. While I have no yet used the feature, iptables permits firewalling on userid. I presume this includes wether or not a program can listen on a port, right? (and all the other fun things). If so then all you'd have to do is deny external access to port 2525 and only permit mailuser to listen etc on it and you're set. -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 03:59:28PM +0100, Alan Cox wrote: What is this gid mail crap ? You don't need priviledge. You get the mail by asking the daemon for it. procmail needs no priviledge either if it is done right. You just need to think about the security models in the right way. Linux gives you the ability to do authenticated uid/gid checking over a socket connection. That is an incredibly powerful model for real compartmentalisation. Ok. My experience isn't all that great so I may well be missing something here. But what? 1. email - sendmail 2. sendmail figures out what it has to do with it. turns out it's deliver it locally for user blah 3. sendmail starts procmail so that it delivers the email. 4. procmail goes through the recepie list for user blah and eventually delivers the email (one way or another) Now, in order for step 4 to be done safely, procmail should be running as the user it's meant to deliver the mail for. for this to happen sendmail needs to start it as that user in step 3 and to do that it needs extra privs, above and beyond that of a normal user. Now as I said, I'm not a UNIX God[tm] and so I may well be missing something vital. If so, what is it? This sounds like something that would be way useful to learn. :) -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
Tomas Telensky [EMAIL PROTECTED] On Tue, 24 Apr 2001, Alexander Viro wrote: On Tue, 24 Apr 2001, Tomas Telensky wrote: of linux distributions the standard daemons (httpd, sendmail) are run as root! Having multi-user system or not! Why? For only listening to a port 1024? Is there any elegant solution? Sendmail is old. Consider it as a remnant of times when network was more... friendly. Security considerations were mostly ignored - and not only by sendmail. It used to be choke-full of holes. They were essentially debugged out of it in late 90s. It seems to be more or less OK these days, but it's full of old cruft. And splitting the thing into reasonable parts and leaving them with minaml privileges they need is large and painful work. Actually, if you view sendmail as being an expert system it is very cutting edge :-) It can identify a user from very skimpy data if it is allowed to (fuzzy matching user names). It identifies local hosts (with FQDN or partial name, or only host name). Thanks for the comment. And why not just let it listen to 25 and then being run as uid=nobody, gid=mail? Because then everybodys mail would be owned by user nobody. There are some ways to do this, but they are unreliable. 1. If the users mail is delivered to /var/mail/username; then the file /var/mail/username must always exist. This requires ALL MUAs to truncate the file. Some MUAs use file existance to determine if there is new mail. If it doesn't exist, then no new mail... ever. 2. sendmail will not be able to create the /var/mail/username mail box. 3. sendmail will not be able to process forwarding mail. User nobody should not be able to read files in users home directory... .forward files are private to the user... 4. sendmail will not be able to process user mail filters (same problem as forwarding). Note: these filters are applied on receipt of mail (saves time and disk space since the filter can discard mail immediately or put it in appropriate folders immediately). - Jesse I Pollard, II Email: [EMAIL PROTECTED] Any opinions expressed are solely my own. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Wed, 25 Apr 2001, CaT wrote: On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote: use port 2525 as SMTP port in your MTA. I've succeed to setup such a configuration. This requires you to ensure that your MTA is started first on that port...Might be difficult to achieve reliably in an automatic way without root privileges :-( mailuser@foo% /etc/rc.d/init.d/sendmail stop badguy@foo% ./suck 2525 mailuser@foo% /etc/rc.d/init.d/sendmail start Not necessarily. While I have no yet used the feature, iptables permits firewalling on userid. I presume this includes wether or man iptables. not a program can listen on a port, right? (and all the other fun things). If so then all you'd have to do is deny external access to port 2525 and only permit mailuser to listen etc on it and you're set. For this to work, you need to hack up iptables on the mail server itself as -m owner only works for locally generated packets. And even then ./suck will receive on 2525 but will not be able to reply. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
1. email - sendmail 2. sendmail figures out what it has to do with it. turns out it's deliver ... Now, in order for step 4 to be done safely, procmail should be running as the user it's meant to deliver the mail for. for this to happen sendmail needs to start it as that user in step 3 and to do that it needs extra privs, above and beyond that of a normal user. email - sendmail sendmail 'its local' - spool user: get_mail | procmail mutt The mail server doesnt need to run procmail. If you wanted to run mail batches through on a regular basis you can use cron for it, or leave a daemon running - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, Apr 24, 2001 at 04:53:10PM +0100, Alan Cox wrote: 1. email - sendmail 2. sendmail figures out what it has to do with it. turns out it's deliver ... Now, in order for step 4 to be done safely, procmail should be running as the user it's meant to deliver the mail for. for this to happen sendmail needs to start it as that user in step 3 and to do that it needs extra privs, above and beyond that of a normal user. email - sendmail sendmail 'its local' - spool Isn't this a good thing to have spam filtered out before it will be written in spool? Alex Riesen - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
- Received message begins Here - 1. email - sendmail 2. sendmail figures out what it has to do with it. turns out it's deliver ... Now, in order for step 4 to be done safely, procmail should be running as the user it's meant to deliver the mail for. for this to happen sendmail needs to start it as that user in step 3 and to do that it needs extra privs, above and beyond that of a normal user. email - sendmail sendmail 'its local' - spool user: get_mail | procmail mutt The mail server doesnt need to run procmail. If you wanted to run mail batches through on a regular basis you can use cron for it, or leave a daemon running And get_mail must have elevated privileges to search for the users mail... or sendmail must have already switched user on reciept to put it in the users inbox which also requires privleges... And an additional daemon (owned by the user) is yet another attack point... Cron could be used to batch message handling... as long as it runs before the users quota is used up. This becomes the same as using IMAP or fetchmail to download it. It's much more efficent to process each mail as it arrives. All this does is move the program that requires privileges to somewhere else. It doesn't eliminate it. Granted, sendmail could use a better implementation of a security model. - Jesse I Pollard, II Email: [EMAIL PROTECTED] Any opinions expressed are solely my own. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
Hello, On Tue, 24 Apr 2001, Alan Cox wrote: Now, in order for step 4 to be done safely, procmail should be running as the user it's meant to deliver the mail for. for this to happen sendmail needs to start it as that user in step 3 and to do that it needs extra privs, above and beyond that of a normal user. email - sendmail sendmail 'its local' - spool user: get_mail | procmail mutt The mail server doesnt need to run procmail. If you wanted to run mail batches through on a regular basis you can use cron for it, or leave a daemon running Oh, well, cron is just another suid program. This example would just be the ideal scenario for posix- or novell-style ACLs in the filesystem. You run the MDA/MTA under some mailerdaemon uid. And then a user can explicitly give this daemon read access to .procmail etc. You can also give the MTA (and nobody else) write access to /var/spool/mail. The MDA then gives the specifical user full access to the spoolfile when creating it, or adding mail to it. And the user can fetch his mail and truncate or delete the file just as he and his software is used to. There are much more things with ACLs, especially in workgroup environments (That's why I loved the old Novel server in our university), but they never got into the kernel. And as far as I (as a non-hacker) understand, the fields reserved for this feature were dropped for the large file support, so we may never see ACLs. Gruß, Markus -- | Gluecklich ist, wer vergisst, was nicht aus ihm geworden ist. +---. , http://www.uni-ulm.de/~s_mschab/ \ / mailto:[EMAIL PROTECTED] \_/ - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OFFTOPIC] Re: [PATCH] Single user linux
On Tue, 24 Apr 2001, Tomas Telensky wrote: But, what I should say to the network security, is that AFAIK in the most of linux distributions the standard daemons (httpd, sendmail) are run as root! Having multi-user system or not! Why? For only listening to a port 1024? Is there any elegant solution? httpd as root ? that's what i call a clueless network admin. sendmail has an OBSOLETE design. Use a good MTA like qmail. Exim or smail are ok, but they're still sendmailish. David Gómez The question of whether computers can think is just like the question of whether submarines can swim. -- Edsger W. Dijkstra - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
