[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: zmailer and other uids

On Mon, Jan 24, 2000 at 01:37:20PM +0100, Grzegorz Janoszka wrote:
> Welcome,
> Yeah, zmailer is great, but I don't like one thing in it: probably all
> processes are running as root.

	Propably it is possible.  Things to take into account include
	(but are not limited to):
		- Spool-files must be readable by router process,
		  which may require front-end router to move publicly
		  submitted files into more protected area, and open
		  file protection sufficiently to allow its reading
		- Routing needs to read people's  ~/.forward  which
		  as (e.g.) ``zmailer'' uid will propably need directory
		  protection of  711  or slightly more open (755)
		  and .forward must likely be globally readable too..
		- Routing needs to read other databases (which can
		  be specific to routing user)
		- routing needs to read include files ( :include: or
		  whatever mechanism is being used )
		- Outbound delivery may need to run at recipient user
		  privileges, possibly could be done in one-way environment
		  too in sense that server fork()s and then setuid()s
		  to destination user.
		- scheduler and TA programs must be able to modify
		  router generated TA-specs files. (Locks, error states

	I don't know how qmail does its uid play, but compared to
	sendmail, ZMailer doesn't have *any* setuid programs.
	There is no need to be able to move from submitting user
	via setuid to root to other uid in ZMailer environment
	during a lifetime of a process.

> I think it would be a great security improvement (I don't tell that
> zmailer is not secure), if most of the processes were running as non-root
> user. Qmail has qmaild user for smtp-daemon, qmailr for remote
> deliveries. I'm not zmailer expert, but I looked at zmailer architecture
> and it should be easy to add such features - only to call some of the
> set*id() functions right after bind() and to change owner of the queue
> directory.

	Yes, there are some things which can be done in non-root mode.
	Currently smtpserver runs as root to accept(), then it fork()s,
	open()s logfile, and switches to ``daemon'' (trusted user).

	Except one thing with scheduler ETRN interface (moving file
	to POSTOFFICE/transport/ ) it doesn't need to return from that
	userid to root for normal message reception operation.

> The best functions of the set*id() group are setresuid and setresgid, but
> they are linux-specific, under other OS, setreuid and setregid should be
> used.
> I would by grateful for an answer explaining, if this features will be
> introduced in zmailer soon, or if not, or at least if we should sent some
> tested patches.
> Thanks for all and good luck in work for zmailer :)
> -- 
> Grzegorz Janoszka
> onet.pl network admin

/Matti Aarnio	<mea@nic.funet.fi>