On Wed, 7 May 1997, Chris Bradley wrote:
> They're pretty strict about security where I work, so I was trying to
> determine which is more secure: setuid or setuid+seteuid.
The latter, slightly.
> Now, from some of the articles about security I've been reading, seteuid
> is sometimes considered not as secure as setuid.
Indeed. That is why Exim uses setuid for its main security controls. It
uses seteuid only as an "added extra". I now wish I had never bothered.
The mere fact that the text "seteuid" occurs in the source has the
effect of sending some people ballistic.
> But, the way Exim is written, does Exim stay in "root" mode longer
> in "Setuid" mode than in "setuid+seteuid" mode? That is, if we were trying
> to reduce the amount of time the code is running with a uid of root,
> would you choose "setuid" or "setuid+seteuid" security mode?
The latter. The effect of "+seteuid" causes it not to be root while
doing the routing and directing, but by the use of seteuid, so that it
can regain root in order to use setuid (sic) to become the user for
deliveries.
It only uses seteuid *instead* of setuid if you use the weakest
"seteuid" security setting. This is not recommended for normal use.
On Thu, 8 May 1997, Jon Peatfield wrote:
> BTW what happened to the person who claimed that he had found loads of
> security holes in Exim, was it true or were they fake?
I corresponded with him. There were some valid concerns about the
handling of certain string operations. I have done some work for 1.63
which addresses these concerns. Nobody has found an actual hole yet.
(That doesn't mean there aren't any. I'm just as capable of writing
buggy code as anybody else.) The comments were all of the form "you have
done things in a way that might lead to a security problem" rather than
"here is a hole; this is how to exploit it".
Philip
--
Philip Hazel University Computing Service,
ph10@??? New Museums Site, Cambridge CB2 3QG,
P.Hazel@??? England. Phone: +44 1223 334714