[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tpop3d-discuss] tpop3d, sendmail and owner of mailbox
From: |
Chris Lightfoot |
Subject: |
Re: [tpop3d-discuss] tpop3d, sendmail and owner of mailbox |
Date: |
Wed, 14 Nov 2001 16:47:40 +0000 |
User-agent: |
Mutt/1.2.5i |
On Wed, Nov 14, 2001 at 04:54:55AM -0800, Paul Makepeace wrote:
> On Wed, Nov 14, 2001 at 12:43:39PM +0000, Chris Lightfoot wrote:
> > Ah, what would be the fun of having a mailing list without
> > the occasional flame-war....
> >
> > The counterarguments are:
> >
> > - group mail g+w means that all mail clients must be
> > setgid mail in order to do locking properly, and
> > therefore introduce an additional security exposure;
>
> Hmm, well exim is a monolithic setuid root MTA.
... which has a good security history, certainly better
than many MUAs. MUAs are typically more complex anyway
(they have to deal with MIME, character sets and all sorts
of other badness). I wouldn't want to trust any part of
the security of a machine to PINE, say. And there's no
reason at all that an MUA should represent a security
boundary within the system in the sense of being setgid,
anyway.
> > - if somebody is sufficiently silly to try to fill up
> > /var/spool/mail, it will be fairly obvious who is
> > responsible;
>
> Depending on the architecture of the MTA being able to create symlinks
> might be a problem...
Possibly. But let's assume that we're not using Postfix.
> > - suitably-configured user disk quotas make this all
> > kind of irrelevant anyway.
>
> Disk quotas are a dog on linux in big settings, so I've heard.
That's not a big surprise.
IMO the real problem is lock files. Setgid MUAs and 1777
/var/spool/mail are just (equally) ugly workarounds. The
real solution is to use a real sort of lock.
> Flamewars, security, unix & Bernstein:
> http://cr.yp.to/maildisasters/postfix.html
> http://packetstorm.decepticons.org/9901-exploits/qmail-DoS.txt
Yes....
--
Early to rise and early to bed,
makes a man healthy, wealthy and dead (Thurber)
- [tpop3d-discuss] tpop3d, sendmail and owner of mailbox, Zdenek Pizl, 2001/11/13
- Re: [tpop3d-discuss] tpop3d, sendmail and owner of mailbox, Paul Warren, 2001/11/13
- Message not available
- Re: [tpop3d-discuss] tpop3d, sendmail and owner of mailbox, Paul Warren, 2001/11/14
- Re: [tpop3d-discuss] tpop3d, sendmail and owner of mailbox, Chris Lightfoot, 2001/11/14
- Re: [tpop3d-discuss] tpop3d, sendmail and owner of mailbox, Chris Elsworth, 2001/11/14
- Re: [tpop3d-discuss] tpop3d, sendmail and owner of mailbox, Chris Lightfoot, 2001/11/14
- Re: [tpop3d-discuss] tpop3d, sendmail and owner of mailbox, Chris Elsworth, 2001/11/14
- Re: [tpop3d-discuss] tpop3d, sendmail and owner of mailbox, Paul Makepeace, 2001/11/14
- Re: [tpop3d-discuss] tpop3d, sendmail and owner of mailbox,
Chris Lightfoot <=
- Re: [tpop3d-discuss] tpop3d, sendmail and owner of mailbox, Paul Warren, 2001/11/14
- [tpop3d-discuss] Re: tpop3d, sendmail and owner of mailbox, Zdenek Pizl, 2001/11/14
Message not available