Re: Postfix design directions

[wietse () PORCUPINE ORG (Wietse Venema)]

I agree. It feels like a defeat, using a set-gid program, but under
the current conditions, no hard-link games are acceptable.

The set-gidness is needed only to create the queue file, and
to delete it should the process receive a signal.

        Wietse

Perry E. Metzger:
> Wietse Venema <wietse () PORCUPINE ORG> writes:
> > I see two directions for Postfix evolution: 1) maintain the present
> > world-writable maildrop and unprivileged posting agent and 2) use
> > a protected directory and a set-gid posting agent (set-uid seems
> > to have no obvious advantage here). Is it feasible to keep maildrop
> > queue file names secret, and are the other attacks indeed mere
> > annoyances? Is it feasible to write secure set-gid programs that
> > are not only secure today, but that will be secure on tomorrow's
> > UNIX systems as well?
>
> The only thing that Postfix really needs is a tiny sgid program (about
> 20 lines in length) that reads a mail message on stdin and writes it
> out to a file in the mail drop directory -- and *only* into the mail
> drop directory, and *only* if the file doesn't exist yet (i.e. open
> with O_CREAT). The gid would be unique to the mail drop directory --
> breaking the ID would at best leave you with the ability to do the
> sorts of things you can do right now (i.e. nothing particularly
> mean). Because the program would be very small, it could be well
> scrutinized. Because it would be a gateway to microscopic privileges,
> it would be not-so-bad if it were broken.
>
> With this out of the way, Postfix would lose some edge condition
> problems it has now because of the world writable spool dir. This
> would not be a perfect fix, but it would be reasonably pragmatic.
>
> Perry