ANNOUNCE: qmail Security Challenge

[dsill () HIGHLAND NET (Dave Sill)]

Background

In February, 1996, Daniel J. Bernstein released the first public beta
test version of qmail, a Message Transfer Agent (MTA). One of his
primary motivations for developing qmail was the notorious insecurity
of the "standard" UNIX MTA, sendmail.

Unlike sendmail, qmail was designed to be secure in today's hostile
Internet environment. It does as little as possible in setuid programs
and as little as possible as the superuser--and does nothing setuid
root. It does separate functions in separate, mutually untrusting
programs--breaking one function won't break the whole system. It
avoids error-prone parsing as much as it can. It keeps the distinction
between addresses and programs/files clear so it won't be tricked into
accessing the system in unintended ways. It is also small and simple,
yet surprisingly powerful, and was coded with almost fanatical care to
avoid security pitfalls.

The Challenge

Now that qmail version 1.01 is available, a group of qmail supporters
from the djb-qmail mailing list has pooled its resources and issued a
challenge to the UNIX security community intended to subject qmail to
the same kind of rigorous inspection that sendmail has been given.
They're offering a cash prize (currently $375, although $500 has been
pledged) to the first person or group to find a security bug in
qmail. Dan Bernstein has also offered his own $500 reward, but he
requires that the bug be present on a system with publicly available
source code so he can be sure the problem really lies with qmail, not
the operating system. Contact Dan for more information about his
offer.

Rules

   1.The qmail Security Challenge, hereinafter to referred to as "The
     Challenge", begins April 23, 1997, and ends when the prize is
     awarded or at midnight, Eastern daylight savings time, April 23,
     1998, whichever comes first.

   2.The Challenge is being run by the Challenge Committee,
     hereinafter referred to as "The Committee", consisting of Dave
     Sill (chairman) and all bona fide donors. The Committee is
     independent, and is not associated with any other organization.

   3.A maximum of one prize will be awarded.

   4.The prize will be a cashier's check in US dollars equal to the
     total amount of the donations of the individual Committee members
     plus any interest earned on the donations during The Challenge.
     The prize is being held in escrow by the chairman and currently
     totals three hundred seventy five US dollars (US$375).

   5.Unclaimed prize money will be donated to the Free Software
     Foundation after the contest ends.

   6.To qualify for the prize, the bug must be in the current public
     release of qmail at the time a claim is filed. For example, if a
     bug is discovered in 1.01 after a subsequent release, but the bug
     is fixed in the new release, it's disqualified.

   7.Bugs that qualify for the prize, subject to the other conditions
     outlined in these rules, must be one of the following:
         Remote exploits that give login access.
         Local or remote exploits that grant root privileges.
         Local or remote exploits that grant read or write access to a
             file the user can't normally access because of UNIX
             access controls (owner/group/mode).
         Local or remote exploits that cause any of the long-lived
             qmail processes (currently: qmail-send, qmail-rspawn,
             qmail-lspawn, or qmail-clean) to terminate.

   8.The following types of bugs are specifically disqualified:
         Exploits that involve corrupting DNS data, breaking TCP/IP,
             breaking NFS, or denying service (except for the case
             above).
         Exploits based on bugs in the host operating system or other
             non-qmail code (for example, it's not qmail's fault if
             vendor X has a bug that allows users to exploit any
             setuid program).
         Exploits based on insecure shell commands in .qmail files
             (for example, a .qmail file that grants login access
             either intentionally or inadvertently).
         Exploits based on insecure customized configuration beyond
             the minimal install (i.e., normal modifications to
             control files to set up virtual domains, etc, are OK, but
             if the admin writes a program to rewrite headers, it's
             not covered).
         Exploits that are not reproducible by The Committee.

   9.Claims will be tested on a system with a minimal qmail
     configuration based on the INSTALL file included with the qmail
     distribution, plus any qualifying modifications to
     /var/qmail/control files specified by the claimant.

  10.To submit a claim, details must be sent to dsill () highland net
     before the contest ends. Claims will be evaluated in the order
     received. Entries will be acknowledged by return e-mail. The
     Committee will not be responsible for unacknowledged entries. The
     Committee will evaluate claims within sixty (60) days of
     confirmed receipt of submission.

  11.The Committee disclaims all liability for anything related to the
     contest. The Committee will not award the prize to anyone who
     causes any disruption in service to any system that is not the
     responsibility of the claimant. We recommend that all testing be
     done on systems dedicated to that purpose.

  12.These rules can be modified at any time by The Committee. Rules
     changes will be announced on the djb-qmail () koobera math uic edu
     mailing list. Claims will be evaluated against the most recently
     announced rules at the time the claim is received by The
     Committee.

This document is also available from
<URL:http://web.infoave.net/~dsill/qmail.html>.