Re: [Exim] Re: Exim and IBM DB2

Góra strony
Delete this message
Reply to this message
Autor: Peter Galbavy
Data:  
Dla: Matthew Byng-Maddick, exim-users
Temat: Re: [Exim] Re: Exim and IBM DB2
Also note that another 'trick' that is common on web servers with modern
free unices is to run the 'daemon' on a high port number with no root privs
and do a redirect in an IP packet filter like IPF/PF on the BSDs.

Peter

----- Original Message -----
From: "Matthew Byng-Maddick" <exim@???>
To: <exim-users@???>
Sent: Thursday, December 20, 2001 10:10 AM
Subject: Re: [Exim] Re: Exim and IBM DB2


> On Thu, Dec 20, 2001 at 09:38:41AM +0000, Philip Hazel wrote:
> > On Thu, 20 Dec 2001, Miquel van Smoorenburg wrote:
> > > On the INN mailinglist someone suggested the following:
> > > - let the non-priviliged daemon create a socket and fork()
> > > - the child exec()s a small setuid helper program
> > > - that setuid helper program ofcourse also inherits the socket fd
> > > - the helper binds the socket to port 25 and exit()s
> > > Now the main program has a socket bound to port 25..
> > How does this make life more secure than:
> > - let the daemon program be privileged
>
> This is fine if your daemon must be privileged. Consider, however, the
> case of a relay-only configuration, where you'd rather everything be as
> unprivileged as possible, as the only writing to disk is for the spool
> (by relay only, I mean that no local deliveries take place). This means
> that if some exploit is discovered, it still can't be exploited.
>
> > - the daemon creates a socket and binds it to port 25
>
> Obviously this can be done if the daemon is root.
>
> > - the daemon obeys setuid() to give up the privilege
>
> Because you then have a complicated daemon to audit, as opposed to the
> much smaller program below.
>
> It is very easy for a program author to get this wrong, and, for example
> fail to call the setgid first, and leave with a high group privilege. If
> your daemon doesn't run setuid at all, then this makes the code less
> complicated. It also prevents reinventing wheels.
>
> > (which is what Exim does)? You also have the added complication of
> > controlling who may exec the helper.
>
> Right. But the helper can be *managed* separately, and have, say, a
> configuration file, that says that "exim is allowed to bind to 25/tcp",
> and this helper could be generic. This means that the amount of root-run
> code is actually pretty small. It would also mean that the same helper
> could do "news is allowed to bind to 119/tcp". Or, for a non-user based
> IMAPd (eg. cyrus) "cyrus is allowed to bind to 143/tcp and 993/tcp", it
> would also allow one to run a nameserver as non-root.
>
> One example of such a program is Ian Jackson's authbind, which
> unfortunately relies (currently) on LD_PRELOAD hacks. This is, IMHO,
> pretty ugly. But I believe that other people have written similar
> things.
>
> MBM
>
> --
> Matthew Byng-Maddick         <mbm@???>

http://colondot.net/
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim

details at http://www.exim.org/ ##
>
>