From owner-freebsd-current@FreeBSD.ORG Mon Feb 24 22:50:13 2014 Return-Path: Delivered-To: current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7435BDA2; Mon, 24 Feb 2014 22:50:13 +0000 (UTC) Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 36BDB10F2; Mon, 24 Feb 2014 22:50:13 +0000 (UTC) Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131]) by mx1.stack.nl (Postfix) with ESMTP id C253D3592E1; Mon, 24 Feb 2014 23:50:10 +0100 (CET) Received: by snail.stack.nl (Postfix, from userid 1677) id AE59228497; Mon, 24 Feb 2014 23:50:10 +0100 (CET) Date: Mon, 24 Feb 2014 23:50:10 +0100 From: Jilles Tjoelker To: Slawa Olhovchenkov Subject: Re: Import of DragonFly Mail Agent Message-ID: <20140224225010.GB58692@stack.nl> References: <20140223211155.GS1699@ithaqua.etoilebsd.net> <20140224141737.GA15581@zxy.spb.ru> <20140224143013.GD83610@ithaqua.etoilebsd.net> <20140224150154.GJ15848@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140224150154.GJ15848@zxy.spb.ru> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Baptiste Daroussin , current@FreeBSD.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Feb 2014 22:50:13 -0000 On Mon, Feb 24, 2014 at 07:01:54PM +0400, Slawa Olhovchenkov wrote: > On Mon, Feb 24, 2014 at 03:30:14PM +0100, Baptiste Daroussin wrote: > > On Mon, Feb 24, 2014 at 06:17:37PM +0400, Slawa Olhovchenkov wrote: > > > On Sun, Feb 23, 2014 at 10:11:56PM +0100, Baptiste Daroussin wrote: > > > > As some of you may have noticed, I have imorted a couple of days > > > > ago dma (DragonFly Mail Agent) in base. I have been asked to > > > > explain my motivation so here they are. > > > What's about suid, security separations & etc? > > What do you mean? dma is changing user as soon as possible, dma will > > be capsicumized, what else do you want as informations? > sendmail (in the past) have same behaviour (run as root and chage > user). > This is some security risk. > For many scenario change user is not simple (for example -- send file > from local user A to local user B, file with permsion 0400). > sendmail will be forced to change behaviour -- mailnull suid program > for place mail into queue and root daemon for deliver to user. > This is more complex. > Can be dma avoid this way? I'm a bit disappointed that dma uses setuid/setgid binaries, although it is not a regression because sendmail also uses this Unix misfeature. To avoid the large attack surface of set*id binaries (the untrusted user can set many process parameters, pass strange file descriptors, send signals, etc), I think it is better to implement trusted submission differently. A privileged daemon (not necessarily running as root) can listen on a Unix domain socket and use getpeereid(3) to verify the credentials of the client. Note that the largest gain with set*id binaries is obtained when the last set*id binary is removed; we are pretty far from that. -- Jilles Tjoelker