On Tue, Dec 22, 1998 at 03:02:30PM -0500, Wietse Venema wrote: > This is an invitation for constructive discussion regarding the > merits of world-writable maildrop directories versus set-uid or > set-gid posting agents. > > The Postfix design takes an unusual approach. In the light of > experience, I have no difficulty making changes to the design, but > I want to make an informed decision. > > World-writable maildrop directories > ----------------------------------- [SNIP] > Set-uid/gid posting agents > -------------------------- [SNIP] > Future direction > ---------------- > > I see two directions for Postfix evolution: 1) maintain the present > world-writable maildrop and unprivileged posting agent and 2) use > a protected directory and a set-gid posting agent (set-uid seems > to have no obvious advantage here). Is it feasible to keep maildrop > queue file names secret, and are the other attacks indeed mere > annoyances? Is it feasible to write secure set-gid programs that > are not only secure today, but that will be secure on tomorrow's > UNIX systems as well? 3) Use a UNIX socket, TCP/IP, named pipes, whatever you want, to communicate between user-level, user-owned processes (which might be a nice sendmail-like interface) and a long-running process that writes into the queue. No s[ug]id execution, no world-writeable dirs, just a small performance hit. Greetz, Peter. -- 'I guess anybody who walks away from a root shell at : Peter van Dijk a nerd party gets what they deserve!' -- BillSF :peterat_private -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- finger hardbeatat_private for my public PGP-key - --- - --- - --- - --- - --- - --- - --- - --- - --- -
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:14 PDT