Re: [exim-dev] External barriers to privilege escalation

Top Page

Reply to this message
Author: W B Hacker
To: Hilko Bengen
CC: exim-dev
Subject: Re: [exim-dev] External barriers to privilege escalation
Hilko Bengen wrote:
> * W B Hacker:
>> - ALL? Per OpenBSD practice, the production FreeBSD boxen now mount /var, and
>> /<the mailstore> as noexec, nosuid.
>> I'd call that one an 'ALL' until someone points out what it harms, and WHY that
>> critter is allowed to<whatever>...
> On a Linux (Debian) box
> # mount --bind /var/spool/exim4 /var/spool/exim4
> # mount -oremount,noexec,nosuid /var/spool/exim4
> should make at least the mail store unusable for dropping executables.

+1 ACK - spool / queue anyway. (my mailstore never has been in /var)

> Of course, this doesn't help against executing dropped shell scripts

It may do so to some extent. 'depends on (other externals..) ++...'

> and
> calling directly where that is possible.

Whole 'nuther can of worms, that one ...

> -Hilko

IMNSHO, there needs to be a gathering of Penguins on that score.

Reasonably OS-agnostic, I'm of the opinion that comparable levels of expertise
and paranoia can 'harden' a Linbox or *BSD box to approximately the same degree.

But I personally have to plead ignorance on 'how so' outside of *BSD land, so -

.. given that - AFAIK - Exim is more often riding on Linux than not, some
research and write ups from those who DO know, seem to be a good idea.

I *hope* to (eventually) see Exim able to not-ever need 'root' privs, but
meanwhile. and more realistically, 'belt AND braces' ....