On Thu, Dec 20, 2001 at 09:38:41AM +0000, Philip Hazel wrote:
> On Thu, 20 Dec 2001, Miquel van Smoorenburg wrote:
> > On the INN mailinglist someone suggested the following:
> > - let the non-priviliged daemon create a socket and fork()
> > - the child exec()s a small setuid helper program
> > - that setuid helper program ofcourse also inherits the socket fd
> > - the helper binds the socket to port 25 and exit()s
> > Now the main program has a socket bound to port 25..
> How does this make life more secure than:
> - let the daemon program be privileged
This is fine if your daemon must be privileged. Consider, however, the
case of a relay-only configuration, where you'd rather everything be as
unprivileged as possible, as the only writing to disk is for the spool
(by relay only, I mean that no local deliveries take place). This means
that if some exploit is discovered, it still can't be exploited.
> - the daemon creates a socket and binds it to port 25
Obviously this can be done if the daemon is root.
> - the daemon obeys setuid() to give up the privilege
Because you then have a complicated daemon to audit, as opposed to the
much smaller program below.
It is very easy for a program author to get this wrong, and, for example
fail to call the setgid first, and leave with a high group privilege. If
your daemon doesn't run setuid at all, then this makes the code less
complicated. It also prevents reinventing wheels.
> (which is what Exim does)? You also have the added complication of
> controlling who may exec the helper.
Right. But the helper can be *managed* separately, and have, say, a
configuration file, that says that "exim is allowed to bind to 25/tcp",
and this helper could be generic. This means that the amount of root-run
code is actually pretty small. It would also mean that the same helper
could do "news is allowed to bind to 119/tcp". Or, for a non-user based
IMAPd (eg. cyrus) "cyrus is allowed to bind to 143/tcp and 993/tcp", it
would also allow one to run a nameserver as non-root.
One example of such a program is Ian Jackson's authbind, which
unfortunately relies (currently) on LD_PRELOAD hacks. This is, IMHO,
pretty ugly. But I believe that other people have written similar
things.
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/