On 2000-08-28 at 06:34 +0600, Mustapha Mahfouz gifted us with:
> I have been hearing good things about exim of late such as its speed, and
> ease of configurability, however I have also seen exim being criticised a
> lot on various security forums about its low(?) security.
I am known by my colleagues for being paranoid. I upset our company's
main security team (with international remit, based in London) by being
more paranoid than them, and locking things down more securely.
I'm happy with Exim, and sleep soundly at night. I'm more comfortable
with the security in Exim than in, eg, Apache. There are very few
applications which I deploy, and then don't worry about because I'm
confident that they're secure.
> 1. Exim has a monolithic design like sendmail (which is the root cause of
> all the security bugs we here about sendmail), unlike MTA's like qmail and
> postfix. Will this compromise the machine its run under.
Monolithic vs modular - modular basically allows tyou to massively
reduce the scope of any trust. But, eg, Postfix showed in the early
versions how this caused problems because the high-trust modules need to
allow access to the lower-trust modules, so some permissions were too
open.
A greater influence upon security is the design of the programming
interfaces, and what sort of coding practice they encourage. DJ
Bernstein has been re-designing some old interfaces and coming up with
some extremely good new ones, without many of the inherent problems.
Reading the Exim source, I have generally been impressed. The ways in
which buffers, strings and memory is managed is sensible and well
thought out. The source generally shows that the programmer knows about
security and has written in a secure manner. The fact that Exim's
author doesn't jump up and down screaming about every other MTA out
there is a comment on his character - he doesn't seem to feel the need
to denigrate everyone else and their products just to protect his ego.
(Okay, I don't like the indentation, but that's not security-affecting
;^)
> 2. I have read the exim root exploit in version 1.62, which says in a
> summary that exim 1.62 let any local user obtain root privileges. Also I
> have read the post where DJ barnstien says
1.62 is ancient, and not that far removed from the old code which Exim
was originally based upon. This is akin to saying "Unix is insecure,
just look at AT&T Release 7!" This is as opposed to certain MTA authors
who shall remain anonymous, but who threaten to sue you if you so much
as question the security of their product.
> "Motivation: Thomas Ptacek posted a summary of exim's security problems
> in April. Fixing those problems should have been the top priority of
> exim's author, Philip Hazel.
Who, in my experience as a user, not as someone with a vested interest
in another product, is generally extremely prompt to respond to
bug-reports. And I've not seen any security bug-reports.
> also some stuff
> was mentioned about a 1000$ unclaimed reward for anyone that cracks qmail.
>
> Also I am sure that you and several exim users could place a reward for
> security holes in Exim as proof of exims high security, so that we too
> have a rejoinder when people mention about this so-called qmail reward.
No.
See:
<
http://www.ieee-security.org/Cipher/Newsbriefs/1996/960212.challenges.html>
"Hacker Challenges -- Boon or Bane?"
Eugene H. Spafford
Note that Eugene Spafford is an extremely well-known and respected
security person; he runs COAST (<
http://coast.cs.purdue.edu/>); he
co-authored an O'Reilly book on security, and has generally been working
to improve the security of 'Net stuff for many many years. I'd trust
his view above that of someone "spinning their product". So-called
hacker challenges are a con, and they don't work.
--
"We've got a patent on the conquering of a country through the use of force.
We believe in world peace through extortionate license fees." -Bluemeat
