[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: zmailer and other uids
On Mon, Jan 24, 2000 at 01:37:20PM +0100, Grzegorz Janoszka wrote:
> Welcome,
>
> Yeah, zmailer is great, but I don't like one thing in it: probably all
> processes are running as root.
Propably it is possible. Things to take into account include
(but are not limited to):
- Spool-files must be readable by router process,
which may require front-end router to move publicly
submitted files into more protected area, and open
file protection sufficiently to allow its reading
- Routing needs to read people's ~/.forward which
as (e.g.) ``zmailer'' uid will propably need directory
protection of 711 or slightly more open (755)
and .forward must likely be globally readable too..
- Routing needs to read other databases (which can
be specific to routing user)
- routing needs to read include files ( :include: or
whatever mechanism is being used )
- Outbound delivery may need to run at recipient user
privileges, possibly could be done in one-way environment
too in sense that server fork()s and then setuid()s
to destination user.
- scheduler and TA programs must be able to modify
router generated TA-specs files. (Locks, error states
etc..)
I don't know how qmail does its uid play, but compared to
sendmail, ZMailer doesn't have *any* setuid programs.
There is no need to be able to move from submitting user
via setuid to root to other uid in ZMailer environment
during a lifetime of a process.
> I think it would be a great security improvement (I don't tell that
> zmailer is not secure), if most of the processes were running as non-root
> user. Qmail has qmaild user for smtp-daemon, qmailr for remote
> deliveries. I'm not zmailer expert, but I looked at zmailer architecture
> and it should be easy to add such features - only to call some of the
> set*id() functions right after bind() and to change owner of the queue
> directory.
Yes, there are some things which can be done in non-root mode.
Currently smtpserver runs as root to accept(), then it fork()s,
open()s logfile, and switches to ``daemon'' (trusted user).
Except one thing with scheduler ETRN interface (moving file
to POSTOFFICE/transport/ ) it doesn't need to return from that
userid to root for normal message reception operation.
> The best functions of the set*id() group are setresuid and setresgid, but
> they are linux-specific, under other OS, setreuid and setregid should be
> used.
>
> I would by grateful for an answer explaining, if this features will be
> introduced in zmailer soon, or if not, or at least if we should sent some
> tested patches.
>
> Thanks for all and good luck in work for zmailer :)
>
> --
> Grzegorz Janoszka
> onet.pl network admin
--
/Matti Aarnio <mea@nic.funet.fi>