Re: Anonymous Qmail Denial of Service

From: Wietse Venema (wietseat_private)
Date: Sun Jan 10 1999 - 14:35:36 PST

Next message: Alan Brown: "Bind 8.* bug."

Previous message: Kragen Sitaker: "Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)"
Maybe in reply to: Wietse Venema: "Anonymous Qmail Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bernstein's posting contains inaccuracies. Rather than boring the
reader I will just address a few. If there is sufficient demand I
will make the full list available for those who care.

>    * The world-writable drop directory was made unreadable. The
>      [Postfix] author called this a ``solution'' and claimed that
>      inode numbers offer 15 bits of randomness. In fact, on almost all
>      UNIX systems today, inode numbers are trivially predictable. This
>      is security through obscurity.

The claim that the non-readable maildrop was offered as a ``solution''
is inaccurate.  The non-readable maildrop was offered as a "short-term,
interim solution", while a "permanent solution is under development".
The announcement is likely to be still on-line.  The USENET news
Message ID is <75r5q7$a3h$1at_private>.

The claim that Postfix file name randomness is based inode numbers
is inaccurate.  The 15 bits of randomness that I referred to are
based the time of day in microseconds, which gives about 15 bits
depending on implementation.  Now, 15 bits isn't a lot, but this
scheme was chosen when queue file names were not meant to be secret.

Before I end this post there is one observation that I would like
to share with the reader.  In December, Daniel Bernstein posted a
message to the qmail mailing list with in the subject: "Anonymous
postfix denial of service", describing a variety of local attacks
with Bernstein accuracy.  By way of response I described a local
attack in a posting titled "Anonymous qmail denial of service".

How memory can fail.  Daniel Bernstein denies that he attacked
Postfix for being subject to a DoS attack, with the following words:

D. J. Bernstein:
> Perry E. Metzger writes:
> > You attacked Postfix for being subject to a DoS attack.
>
> I pointed out that [Postfix] allowed local users to
>
>    * anonymously destroy messages accepted by the MTA from other users;
>    * obtain traffic information that some sites consider private;
>    * on some UNIX variants, charge mail to the wrong user; and
>    * under specialized circumstances, steal unreadable files.
>
> Which of these are you calling a ``denial-of-service attack,'' Perry?

The claim is in the title, Dan: "Anonymous postfix denial of
service". You can find it in your own mailing list archive.

        Wietse

Next message: Alan Brown: "Bind 8.* bug."
Previous message: Kragen Sitaker: "Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)"
Maybe in reply to: Wietse Venema: "Anonymous Qmail Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:35 PDT