From owner-freebsd-current@FreeBSD.ORG Tue Feb 25 10:31:01 2014 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B4A6329A for ; Tue, 25 Feb 2014 10:31:01 +0000 (UTC) Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 45CF618B7 for ; Tue, 25 Feb 2014 10:31:01 +0000 (UTC) Received: by mail-wg0-f51.google.com with SMTP id a1so171226wgh.34 for ; Tue, 25 Feb 2014 02:30:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=6EK/Bgdu5Dz3zyEShvO2v9XjK/dDpuPIpT29DG6o9eQ=; b=LBPu56TGnC6LUDU5+r+x6zP1tRK6L7weXHlepxSRAwIoQAMLjpfb9cxfOZ332h7hs4 YXo6G2K8po+eMtNPMWtYswdZlo+AerCUSLz41wgz/IOgpKPK28I+lllYuT2hrl0Z3NuP PPRruLW0WLLcszrMgVxR81vPgvM0/Lvw1kh9/Em7/5u3bTExvQWfBY3WexIOYF2AXyNk iNLvnkQbDLOEwFH726tA8gfGYs7Z4VCiLIDrnXIb8caiSVC5lcBxH6Ryz+kTyzyLpDnj DpzsYKY2LaRxAU5PrkjS8/oxQYkpk4H22pqIZDSBQ4SA5pgiThfpRiD+1TX5iz6TVgkm SDug== X-Received: by 10.194.240.7 with SMTP id vw7mr938353wjc.75.1393324259577; Tue, 25 Feb 2014 02:30:59 -0800 (PST) Received: from ithaqua.etoilebsd.net (ithaqua.etoilebsd.net. [37.59.37.188]) by mx.google.com with ESMTPSA id dk9sm49554536wjb.4.2014.02.25.02.30.57 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 25 Feb 2014 02:30:58 -0800 (PST) Sender: Baptiste Daroussin Date: Tue, 25 Feb 2014 11:30:56 +0100 From: Baptiste Daroussin To: Jilles Tjoelker Subject: Re: Import of DragonFly Mail Agent Message-ID: <20140225103056.GH83610@ithaqua.etoilebsd.net> References: <20140223211155.GS1699@ithaqua.etoilebsd.net> <20140224141737.GA15581@zxy.spb.ru> <20140224143013.GD83610@ithaqua.etoilebsd.net> <20140224150154.GJ15848@zxy.spb.ru> <20140224225010.GB58692@stack.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TBNym+cBXeFsS4Vs" Content-Disposition: inline In-Reply-To: <20140224225010.GB58692@stack.nl> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: current@FreeBSD.org, Slawa Olhovchenkov X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Feb 2014 10:31:01 -0000 --TBNym+cBXeFsS4Vs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Feb 24, 2014 at 11:50:10PM +0100, Jilles Tjoelker wrote: > On Mon, Feb 24, 2014 at 07:01:54PM +0400, Slawa Olhovchenkov wrote: > > On Mon, Feb 24, 2014 at 03:30:14PM +0100, Baptiste Daroussin wrote: >=20 > > > On Mon, Feb 24, 2014 at 06:17:37PM +0400, Slawa Olhovchenkov wrote: > > > > On Sun, Feb 23, 2014 at 10:11:56PM +0100, Baptiste Daroussin wrote: >=20 > > > > > As some of you may have noticed, I have imorted a couple of days > > > > > ago dma (DragonFly Mail Agent) in base. I have been asked to > > > > > explain my motivation so here they are. >=20 > > > > What's about suid, security separations & etc? >=20 > > > What do you mean? dma is changing user as soon as possible, dma will > > > be capsicumized, what else do you want as informations? >=20 > > sendmail (in the past) have same behaviour (run as root and chage > > user). > > This is some security risk. > > For many scenario change user is not simple (for example -- send file > > from local user A to local user B, file with permsion 0400). > > sendmail will be forced to change behaviour -- mailnull suid program > > for place mail into queue and root daemon for deliver to user. > > This is more complex. > > Can be dma avoid this way? >=20 > I'm a bit disappointed that dma uses setuid/setgid binaries, although it > is not a regression because sendmail also uses this Unix misfeature. >=20 > To avoid the large attack surface of set*id binaries (the untrusted user > can set many process parameters, pass strange file descriptors, send > signals, etc), I think it is better to implement trusted submission > differently. A privileged daemon (not necessarily running as root) can > listen on a Unix domain socket and use getpeereid(3) to verify the > credentials of the client. >=20 As long as $anyone locally can send emails, what is the point of checking getpeereid(3)? regards, Bapt --TBNym+cBXeFsS4Vs Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (FreeBSD) iEYEARECAAYFAlMMcN8ACgkQ8kTtMUmk6Ezt1QCdGkLKW7SK2J+vZlik/UsfT1ZQ jpQAnRTKd0BIH3NOgonnyUNgQR5CZfQs =pE2r -----END PGP SIGNATURE----- --TBNym+cBXeFsS4Vs--