Postfix design directions

[wietse () PORCUPINE ORG (Wietse Venema)]

This is an invitation for constructive discussion regarding the
merits of world-writable maildrop directories versus set-uid or
set-gid posting agents.

The Postfix design takes an unusual approach. In the light of
experience, I have no difficulty making changes to the design, but
I want to make an informed decision.

World-writable maildrop directories
-----------------------------------

Postfix uses a world-writable maildrop directory with an unprivileged
posting agent. Other systems use protected directories and set-uid/gid
posting agents.

The attacks on a world-writable maildrop directory are:  1) any
local user can flood the maildrop directory, 2) any local user can
hard link files to the maildrop directory (from maildrop or from
elsewhere), and 3) any local user can hard link files from the
maildrop directory to other directories.  I will ignore attacks
that require systems with unrestricted chown.

Attack 1 is an annoyance. Just like filling up /tmp or /var/tmp.
Using a set-uid/gid posting agent does not prevent an attacker from
filling up the queue directory. However, set-uid/gid posting agents
do provide easier accountability.

Attack 2 is a wash. Postfix deletes a queue file that has multiple
links, so that the link count goes down; Postfix delivers a queue
file that has one hard link and that satisfies the Postfix-specific
record structure and record sequence requirements; Postfix discards
any other queue file.

I made a stupid oversight by missing 3). Postfix deletes the queue
file from the queue and the mail is not delivered. In order to stop
this attack one would have to keep maildrop queue file names secret.
The first step is to revoke directory read permission. The second
step is to choose file names from a sufficiently large name space.
Currently, the name space is about 2^15, but then the original goal
was not to keep queue file names secret.  That can be changed.

The final consideration is robustness against change.  Given that
this scheme uses only directory permissions and file names, I expect
it to be robust against changes in the operating system environment.

Set-uid/gid posting agents
--------------------------

If a world-writable maildrop directory can be attacked, what about
set-uid/gid programs? My concern is with the large amount of control
that an attacker has over a set-uid/gid process. Except for memory
mappings, almost all other process attributes are under control by
the attacker:  process id, command-line array, environment array,
current directory, open files, process groups, process credentials,
resource limits, default file protections, scheduling priority,
signal disposition, timers, and so on; the exact list is system
dependent.  That is a fair amount of control, and that is precisely
why writing a set-uid/gid program requires a great deal of care.

What about robustness against change?  Writing a secure set-uid/gid
program is not sufficient. Examples abound of existing set-uid/gid
programs that became vulnerable after changes to the UNIX system:
for example, the introduction of shared libraries, or the introduction
of the /proc file system.  It may be possible to write a set-uid/gid
program that is secure on today's UNIX systems, but the security
can fly out the window after any change.

Future direction
----------------

I see two directions for Postfix evolution: 1) maintain the present
world-writable maildrop and unprivileged posting agent and 2) use
a protected directory and a set-gid posting agent (set-uid seems
to have no obvious advantage here). Is it feasible to keep maildrop
queue file names secret, and are the other attacks indeed mere
annoyances? Is it feasible to write secure set-gid programs that
are not only secure today, but that will be secure on tomorrow's
UNIX systems as well?

Your feedback is appreciated.

        Wietse