Re: Postfix design directions

[peter () ATTIC VUURWERK NL (Peter van Dijk)]

On Tue, Dec 22, 1998 at 03:02:30PM -0500, Wietse Venema wrote:
> This is an invitation for constructive discussion regarding the
> merits of world-writable maildrop directories versus set-uid or
> set-gid posting agents.
>
> The Postfix design takes an unusual approach. In the light of
> experience, I have no difficulty making changes to the design, but
> I want to make an informed decision.
>
> World-writable maildrop directories
> -----------------------------------

[SNIP]

> Set-uid/gid posting agents
> --------------------------

[SNIP]

> Future direction
> ----------------
>
> I see two directions for Postfix evolution: 1) maintain the present
> world-writable maildrop and unprivileged posting agent and 2) use
> a protected directory and a set-gid posting agent (set-uid seems
> to have no obvious advantage here). Is it feasible to keep maildrop
> queue file names secret, and are the other attacks indeed mere
> annoyances? Is it feasible to write secure set-gid programs that
> are not only secure today, but that will be secure on tomorrow's
> UNIX systems as well?

3) Use a UNIX socket, TCP/IP, named pipes, whatever you want, to communicate
between user-level, user-owned processes (which might be a nice sendmail-like
interface) and a long-running process that writes into the queue.

No s[ug]id execution, no world-writeable dirs, just a small performance hit.

Greetz, Peter.
--
'I guess anybody who walks away from a root shell at :         Peter van Dijk
 a nerd party gets what they deserve!' -- BillSF     :peter () attic vuurwerk nl
-- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --   -- --
finger hardbeat () mdk ml org for my public PGP-key
  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -  ---  -