Date: 20 Dec 1998 17:33:47 -0000 Message-ID: <19981220173347.8783.qmail@cr.yp.to> Mail-Followup-To: qmail@list.cr.yp.to From: "D. J. Bernstein" To: qmail@list.cr.yp.to Subject: Anonymous postfix denial of service, snooping, theft, mailbombing References: <0d1701be27ec$638d91e0$1d01a8c0@fishtank> <13944.8162.70437.741992@non.non.net> Russ Allbery writes: > So far as I can tell, neither qmail nor Postfix is really superior in > the sense of basic design; some different approaches were taken > between them, but the differences don't seem massively significant to me. Consider, for example, the fact that the IBM ``Secure'' Mailer says it requires a world-writable directory for users to drop off messages. Nothing stops a user from listing the contents of the drop directory--- the filenames are easily guessable---to see uids and sizes of outgoing mail. It doesn't matter how well you've protected your process list and mail log; the queue is unprotected. The user has to win a race with the queue sweeper, of course, but he can easily do this by creating thousands of extra files in the drop directory, and removing them when he's done snooping. Even worse, nothing stops a user from making some hard links to another user's files in the drop directory. postfix refuses to deliver a file with more than one link. There is no way to identify the culprit. (In the security community, the standard solution to that problem is to avoid world-writable directories. For example, if a user puts temporary files into $HOME/tmp, and there are no world-writable directories on the $HOME filesystem, then there's no place for an attacker to put an anonymous hard link. I also think that link() should be prohibited for people other than the file owner; but that's not how UNIX works today.) Furthermore, on systems that allow file giveaways, nothing stops a user from creating thousands of messages in the postfix drop directory under another user's name. Again, there is no way to identify the culprit. All the logs will blame the wrong user. Finally, if a user sets up a mode-700 file in a world-readable directory on the same filesystem as the postfix drop directory, then an attacker can try linking the file into the drop directory. If the first user removes the file, and if the file happens to have the right structure for an outgoing postfix message, then postfix will go ahead and mail it! Why doesn't postfix use a protected queue, and a setuid program to add a message to the queue with guaranteed user identification? The postfix documentation says that this is a security feature! ``No Postfix program is set-uid. Introducing the concept was the biggest mistake made in UNIX history. Set-uid (and its weaker cousin, set-gid) causes more trouble than it is worth. ...'' Certainly setuid programs require a great deal of care. They've been involved in many security disasters, though certainly not as many as world-writable directories. The security community would love to see another portable IPC mechanism offering guaranteed user identification. However, while we're waiting, we need a few setuid programs. ---Dan