From owner-freebsd-current Thu Jan 2 10:48: 7 2003 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8F4A37B401 for ; Thu, 2 Jan 2003 10:48:04 -0800 (PST) Received: from zardoc.esmtp.org (adsl-63-195-85-27.dsl.snfc21.pacbell.net [63.195.85.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDC5C43EC2 for ; Thu, 2 Jan 2003 10:48:03 -0800 (PST) (envelope-from ca@zardoc.esmtp.org) Received: from zardoc.esmtp.org (localhost [127.0.0.1]) by zardoc.esmtp.org (8.12.7/8.12.7.Beta1) with ESMTP id h02ImAGL024028 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 2 Jan 2003 10:48:11 -0800 (PST) Received: (from ca@localhost) by zardoc.esmtp.org (8.12.7/8.12.0.Beta12) id h02ImATd019533 for freebsd-current@FreeBSD.ORG; Thu, 2 Jan 2003 10:48:10 -0800 (PST) Date: Thu, 2 Jan 2003 10:48:10 -0800 From: Claus Assmann To: freebsd-current@FreeBSD.ORG Subject: Re: 5.0-RC2 informal PR: 90 sec sendmail delay Message-ID: <20030102104810.A27967@zardoc.esmtp.org> Mail-Followup-To: freebsd-current@FreeBSD.ORG References: <3E1352BC.4043921B@mindspring.com> <20030101145232.A391@zardoc.esmtp.org> <3E13D095.FC52B758@mindspring.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: <3E13D095.FC52B758@mindspring.com>; from tlambert2@mindspring.com on Wed, Jan 01, 2003 at 09:39:33PM -0800 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jan 01, 2003, Terry Lambert wrote: > Claus Assmann wrote: > It's an editorial complaint. I don't like the breaking the > program into seperate programs by function. IMO, DJB is wrong, > and this does nothing to enhance security. The result of doing > this in FreeBSD has been to greatly complicate rc scripts, with > the result that sendmail is much less of an unpluggable component > that can be replaced with something else, easily, and with little > system impact. > > I understand the "security" reasoning, based on having to compete > with qmail and other packages that claim this seperation magically > fixes all security issues. But it's just a propaganda move, and > it's not technically justified. There is no magic, this is plain and simple good engineering standard: you need multiple layers of security. You have to minimize the impact of any mistake that can happen. > > If you are referring to the separation of sendmail into MTA and > > MSP: this was necessary to get rid of sendmail being set-user-ID > > root, which is a security risk (as you will probably agree, this > > isn't marketing, this is real, e.g., sendmail was abused in some > > cases to exploit bugs in the OS). > Nope. I don't agree. I think the change makes things harder, and > I don't see a difference in the volume of security advisories (e.g. > not a lot of advisories warning about people being able to obtain > the "$MAILUSER" identity through some buffer overflow, rather than > "root"). I can't believe you have written this. Come on, this is trivial. What can you do with root access? What can you do with smmsp group access? Here's the plain and simple reason for the change in 8.12: 8.11.6/8.11.6 2001/08/20 SECURITY: Fix a possible memory access violation when specifying out-of-bounds debug parameters. Problem detected by Cade Cairns of SecurityFocus. This was what triggered finally the switch, which we had put off far too long. Any simple bug somewhere in this huge program or in the environment, e.g.,: 8.10.2/8.10.2 2000/06/07 SECURITY: Work around broken Linux setuid() implementation. On Linux, a normal user process has the ability to subvert the setuid() call such that it is impossible for a root process to drop its privileges. Problem noted by Wojciech Purczynski of elzabsoft.pl. SECURITY: Add more vigilance around set*uid(), setgid(), setgroups(), initgroups(), and chroot() calls. would give someone root access. This is NOT acceptable (IMNSHO). Is that "just a propaganda move, and it's not technically justified"? > At one point, sendmail was getting a lot of crap in the trade press > over running suid root... but, IMO, that's all it was: crap. It was > just a hook that people could hang marketing arguments against > sendmail on, to FUD people into using a different product. Any > reaction to FUD is a marketing reaction, unless there's provable > technical merit in the decision. See above. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message