Wietse Venema <wietseat_private> writes: > I see two directions for Postfix evolution: 1) maintain the present > world-writable maildrop and unprivileged posting agent and 2) use > a protected directory and a set-gid posting agent (set-uid seems > to have no obvious advantage here). Is it feasible to keep maildrop > queue file names secret, and are the other attacks indeed mere > annoyances? Is it feasible to write secure set-gid programs that > are not only secure today, but that will be secure on tomorrow's > UNIX systems as well? The only thing that Postfix really needs is a tiny sgid program (about 20 lines in length) that reads a mail message on stdin and writes it out to a file in the mail drop directory -- and *only* into the mail drop directory, and *only* if the file doesn't exist yet (i.e. open with O_CREAT). The gid would be unique to the mail drop directory -- breaking the ID would at best leave you with the ability to do the sorts of things you can do right now (i.e. nothing particularly mean). Because the program would be very small, it could be well scrutinized. Because it would be a gateway to microscopic privileges, it would be not-so-bad if it were broken. With this out of the way, Postfix would lose some edge condition problems it has now because of the world writable spool dir. This would not be a perfect fix, but it would be reasonably pragmatic. Perry
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:13 PDT