oss-sec mailing list archives
Re: Short notes on qmail security guarantee
From: Jeffrey Walton <noloader () gmail com>
Date: Fri, 22 May 2020 18:00:12 -0400
On Fri, May 22, 2020 at 8:19 AM Solar Designer <solar () openwall com> wrote:
... Writing code that avoids artificial limits yet is safe, is hard. One way to do it is to avoid artificial limits throughout the code, but then impose them at a higher level, where they can be adjusted easily. One such higher level is the operating system, but that makes the program's security dependent on its environment in this extra way (beyond many others) and with greater risk impact (worse than DoS). Arguably, this makes the program unnecessarily fragile. Another higher level would be within the program, like we see in Qualys' patch for qmail now. This reduces the dependency of the program's security on its environment.
I don't use Qmail so I don't really have a dog in this fight, but ... I'm not sure its a good idea to depend on another layer for security properties, especially when a control is readily available. (re: the first part of the paragraph). Qmail should not depend on the operating system for security when it is readily available to Qmail. In my mind's model, Qmail can remediate this at the application level and has no need to turn to the operating system at the platform level. To drive the point home, consider an application that uses Apple iOS 4-digit PIN rather then a more proper authentication system that requires sufficiently sized passcodes or phrases. Here, the application's security depends on the operating system's security. ANd many folks would not consider a 4 character PIN code sufficient for authentication. As another example, consider an application that depends upon infrastructure for security instead of application security. Most people would agree it would be a bad idea to forgo IPsec, VPN or TLS because the infrastructure should be secure. Another way I view it as a vulnerability in Qmail is, Qmail is trusting the user for its security in a default state. Here, Qmail trusts the user will set an appropriate limit on 32-bit platforms. Trust is something you turn to when you don't have a security control to place. But in this case there is a control to place - a sane default limit inside Qmail. Jeff
Current thread:
- Short notes on qmail security guarantee Georgi Guninski (May 21)
- Re: Short notes on qmail security guarantee Solar Designer (May 22)
- Re: Short notes on qmail security guarantee Michal Zalewski (May 22)
- Re: Short notes on qmail security guarantee Georgi Guninski (May 22)
- Re: Short notes on qmail security guarantee Arrigo Triulzi (May 22)
- Re: Short notes on qmail security guarantee Perry E. Metzger (May 22)
- Re: Short notes on qmail security guarantee Jeffrey Walton (May 22)
- Re: Short notes on qmail security guarantee Solar Designer (May 22)