[ from a recent thread spun from the Sendmail 8.8.4 discussion, re Exim ]
26 Jan 1997 18:52:23 GMT paul@???: >To clarify, this is what I meant. Sendmail doesn't need to be actually
>running as root for most of what it does, and only really needs to revert
>back to root when switching UID/GID for local deliveries.
To clarify something: any program that relies on saved-set-uid to toggle
between privileged and non-privileged modes is equally as vulnerable to
stack overruns (and any other problem that involves directly hijacking
control of the process) as a program that operates entirely in privileged
mode.
Exim uses seteuid() extensively to toggle between privilege modes, and I
note that the code is riddled with unchecked string manipulations routines
(trusty 'wc' tells me 46 occurances of strcpy(), 260 occurances of
sprintf(), and 16 instances of strcat()). Without extensive review of this
code, I'd be exceedingly concerned about the probability of stack overruns
in the Exim package.
qmail was designed from the ground up for security, does not rely on
saved set ID's for least privilege, and does not use Standard C library
functions for string manipulations. qmail's security design also seems
much more coherent, and is far better documented.
I'd be interested in hearing more about what Exim's implementors did to
address security concerns.
--
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@???]
----------------
exit(main(kfp->kargc, argv, environ));
