Re: [OFFTOPIC] Re: [PATCH] Single user linux

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Jesse Pollard]

Tomas Telensky <ttel5535@ss1000.ms.mff.cuni.cz>
> On Tue, 24 Apr 2001, Alexander Viro wrote:
> > On Tue, 24 Apr 2001, Tomas Telensky wrote:
> > 
> > > of linux distributions the standard daemons (httpd, sendmail) are run as
> > > root! Having multi-user system or not! Why? For only listening to a port
> > > <1024? Is there any elegant solution?
> > 
> > Sendmail is old. Consider it as a remnant of times when network was
> > more... friendly. Security considerations were mostly ignored - and
> > not only by sendmail. It used to be choke-full of holes. They were
> > essentially debugged out of it in late 90s. It seems to be more or
> > less OK these days, but it's full of old cruft. And splitting the
> > thing into reasonable parts and leaving them with minaml privileges
> > they need is large and painful work.

Actually, if you view sendmail as being an expert system it is very
cutting edge :-) It can identify a user from very skimpy data if it
is allowed to (fuzzy matching user names). It identifies local hosts
(with FQDN or partial name, or only host name).

> Thanks for the comment. And why not just let it listen to 25 and then
> being run as uid=nobody, gid=mail?

Because then everybodys mail would be owned by user "nobody".

There are some ways to do this, but they are unreliable.

   1. If the users mail is delivered to /var/mail/<username>; then the
      file /var/mail/<username> must always exist.

	This requires ALL MUAs to truncate the file.
	Some MUAs use file existance to determine if there is new mail.
	If it doesn't exist, then no new mail... ever.

   2. sendmail will not be able to create the /var/mail/<username> mail box.

   3. sendmail will not be able to process forwarding mail.
	User nobody should not be able to read files in users home
	directory... .forward files are private to the user...

   4. sendmail will not be able to process user mail filters (same problem
	as forwarding).

	Note: these filters are applied on receipt of mail (saves time and
	disk space since the filter can discard mail immediately or put it
	in appropriate folders immediately).

-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.

[PATCH] Single user linux

[imel96]

hi,

a friend of my asked me on how to make linux easier to use
for personal/casual win user.

i found out that one of the big problem with linux and most
other operating system is the multi-user thing.

i think, no personal computer user should know about what's
an operating system idea of a user. they just want to use
the computer, that's it.

by a personal computer i mean home pc, notebook, tablet,
pda, and communicator. only one user will use those devices,
or maybe his/her friend/family. do you think that user want
to know about user account?

from that, i also found out that it is very awkward to type
username and password every time i use my computer.
so here's a patch. i also have removed the user_struct from
my kernel, but i don't think you'd like #ifdef's.
may be it'll be good for midori too.


	imel



--- sched.h	Mon Apr  2 18:57:06 2001
+++ sched.h~	Tue Apr 24 17:32:33 2001
@@ -655,6 +655,12 @@
 		       unsigned long, const char *, void *);
 extern void free_irq(unsigned int, void *);

+#ifdef CONFIG_NOUSER
+#define capable(x)	1
+#define suser()		1
+#define fsuser()	1
+#else
+
 /*
  * This has now become a routine instead of a macro, it sets a flag if
  * it returns true (to do BSD-style accounting where the process is flagged
@@ -706,6 +712,8 @@
 	}
 	return 0;
 }
+
+#endif /* CONFIG_NOUSER */

 /*
  * Routines for handling mm_structs

diff -ur linux/Documentation/Configure.help nouser/Documentation/Configure.help
--- linux/Documentation/Configure.help	Mon Apr  2 18:53:29 2001
+++ nouser/Documentation/Configure.help	Tue Apr 24 18:08:49 2001
@@ -13626,6 +13626,14 @@
   a work-around for a number of buggy BIOSes. Switch this option on if
   your computer crashes instead of powering off properly.

+Disable Multi-user (DANGEROUS)
+CONFIG_NOUSER
+  Disable kernel multi-user support. Normally, we treat each user
+  differently, depending on his/her permissions. If you _really_
+  think that you're not going to use your computer in a hostile
+  environment and would like to cut a few bytes, say Y.
+  Most people should say N.
+
 Watchdog Timer Support
 CONFIG_WATCHDOG
   If you say Y here (and to one of the following options) and create a
diff -ur linux/arch/i386/config.in nouser/arch/i386/config.in
--- linux/arch/i386/config.in	Mon Feb  5 18:50:27 2001
+++ nouser/arch/i386/config.in	Tue Apr 24 17:53:42 2001
@@ -244,6 +244,8 @@
    bool '    Use real mode APM BIOS call to power off' CONFIG_APM_REAL_MODE_POWER_OFF
 fi

+bool 'Disable Multi-user (DANGEROUS)' CONFIG_NOUSER
+
 endmenu

 source drivers/mtd/Config.in

[OFFTOPIC] Re: [PATCH] Single user linux

[Mike A. Harris]

On Tue, 24 Apr 2001 imel96@trustix.co.id wrote:

>a friend of my asked me on how to make linux easier to use
>for personal/casual win user.
>
>i found out that one of the big problem with linux and most
>other operating system is the multi-user thing.
>
>i think, no personal computer user should know about what's
>an operating system idea of a user. they just want to use
>the computer, that's it.
>
>by a personal computer i mean home pc, notebook, tablet,
>pda, and communicator. only one user will use those devices,
>or maybe his/her friend/family. do you think that user want
>to know about user account?
>
>from that, i also found out that it is very awkward to type
>username and password every time i use my computer.
>so here's a patch. i also have removed the user_struct from
>my kernel, but i don't think you'd like #ifdef's.
>may be it'll be good for midori too.

trustix.co.id?  hehehe.

If you don't want to login with user/password, then change your
password to "".  Don't want to even do that?  Then just change
/etc/inittab to invoke "login -f username" instead of mingetty or
whatever.  No need at all to hack the kernel up.

Dunno why you sent the patch here or to Linus though..  The
chance of it even being looked at are about 1/2^infinity  ;o)

I've got a hacked up version of mingetty that allows you to
configure autologins on tty's if you like.  You're welcome to my
packages if you like just email me privately. It is useful if you
are in an environment where physical security is not a concern at
all, but network security is still a concern.  I use it so I can
boot up, login once, and it fires up tty's on all consoles for
me.  It can also bypass any login if you like.


----------------------------------------------------------------------
    Mike A. Harris  -  Linux advocate  -  Free Software advocate
          This message is copyright 2001, all rights reserved.
  Views expressed are my own, not necessarily shared by my employer.
----------------------------------------------------------------------

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Tomas Telensky]

> 
> trustix.co.id?  hehehe.
> 
> If you don't want to login with user/password, then change your
> password to "".  Don't want to even do that?  Then just change
> /etc/inittab to invoke "login -f username" instead of mingetty or
> whatever.  No need at all to hack the kernel up.
> 
> Dunno why you sent the patch here or to Linus though..  The
> chance of it even being looked at are about 1/2^infinity  ;o)

:-) Great.
You and Alex are right - I agree that this is a complete moronism.

But, what I should say to the network security, is that AFAIK in the most
of linux distributions the standard daemons (httpd, sendmail) are run as
root! Having multi-user system or not! Why? For only listening to a port
<1024? Is there any elegant solution?

  Tomas

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Mohammad A. Haque]

On Tue, 24 Apr 2001, Tomas Telensky wrote:

> :-) Great.
> You and Alex are right - I agree that this is a complete moronism.
>
> But, what I should say to the network security, is that AFAIK in the most
> of linux distributions the standard daemons (httpd, sendmail) are run as
> root! Having multi-user system or not! Why? For only listening to a port
> <1024? Is there any elegant solution?

If your distro is runnign httpd as root you may want to give them a nice
swift kick in the behind. By default apache is configured to run as
nobody.

Dunno about sendmail.

Correct. <1024 requires root to bind to the port.

-- 

=====================================================================
Mohammad A. Haque                              http://www.haque.net/
                                               mhaque@haque.net

  "Alcohol and calculus don't mix.             Project Lead
   Don't drink and derive." --Unknown          http://wm.themes.org/
                                               batmanppc@themes.org
=====================================================================

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alexander Viro]

On Tue, 24 Apr 2001, Mohammad A. Haque wrote:

> Correct. <1024 requires root to bind to the port.

... And nothing says that it should be done by daemon itself.

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alan Cox]

> On Tue, 24 Apr 2001, Mohammad A. Haque wrote:
> > Correct. <1024 requires root to bind to the port.
> ... And nothing says that it should be done by daemon itself.

Or that you shouldnt let inetd do it for you
And that you shouldn't drop the capabilities except that bind

It is possible to implement the entire mail system without anything running
as root but xinetd.

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alexander Viro]

On Tue, 24 Apr 2001, Alan Cox wrote:

> > On Tue, 24 Apr 2001, Mohammad A. Haque wrote:
> > > Correct. <1024 requires root to bind to the port.
> > ... And nothing says that it should be done by daemon itself.
> 
> Or that you shouldnt let inetd do it for you
> And that you shouldn't drop the capabilities except that bind
> 
> It is possible to implement the entire mail system without anything running
> as root but xinetd.

You want an MDA with elevated privileges, though...

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alan Cox]

> > It is possible to implement the entire mail system without anything running
> > as root but xinetd.
> 
> You want an MDA with elevated privileges, though...

What role requires priviledge once the port is open ?

	DNS lookup does not
	Spooling to disk does not
	Accepting a connection from a client does not
	Doing peercred auth with a client does not
	Copying spool articles matching the peercred to the client does not

Alan

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alexander Viro]

On Tue, 24 Apr 2001, Alan Cox wrote:

> > > It is possible to implement the entire mail system without anything running
> > > as root but xinetd.
> > 
> > You want an MDA with elevated privileges, though...
                 ^
> What role requires priviledge once the port is open ?

.forward handling may, depending on how much do you want to put into it.

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[CaT]

On Tue, Apr 24, 2001 at 03:37:34PM +0100, Alan Cox wrote:
> What role requires priviledge once the port is open ?
> 
> 	DNS lookup does not
> 	Spooling to disk does not
> 	Accepting a connection from a client does not
> 	Doing peercred auth with a client does not
> 	Copying spool articles matching the peercred to the client does not

Running procmail as the user who is to receive the email for local mail
delivery as running it with gid mail (for eg) would allow one user to
modify another's mail.

(just a thought - the above's valid with sendmail at least)

-- 
CaT (cat@zip.com.au)		*** Jenna has joined the channel.
				<cat> speaking of mental giants..
				<Jenna> me, a giant, bullshit
				<Jenna> And i'm not mental
					- An IRC session, 20/12/2000

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alan Cox]

> > 	Copying spool articles matching the peercred to the client does not
> 
> Running procmail as the user who is to receive the email for local mail
> delivery as running it with gid mail (for eg) would allow one user to
> modify another's mail.

What is this gid mail crap ? You don't need priviledge. You get the mail by
asking the daemon for it. procmail needs no priviledge either if it is done
right.

You just need to think about the security models in the right way. Linux gives
you the ability to do authenticated uid/gid checking over a socket connection.
That is an incredibly powerful model for real compartmentalisation.

Alan

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[CaT]

On Tue, Apr 24, 2001 at 03:59:28PM +0100, Alan Cox wrote:
> What is this gid mail crap ? You don't need priviledge. You get the mail by
> asking the daemon for it. procmail needs no priviledge either if it is done
> right.
> 
> You just need to think about the security models in the right way. Linux gives
> you the ability to do authenticated uid/gid checking over a socket connection.
> That is an incredibly powerful model for real compartmentalisation.

Ok. My experience isn't all that great so I may well be missing something
here. But what?

1. email -> sendmail

2. sendmail figures out what it has to do with it. turns out it's deliver
it locally for user blah

3. sendmail starts procmail so that it delivers the email.

4. procmail goes through the recepie list for user blah and eventually
delivers the email (one way or another)

Now, in order for step 4 to be done safely, procmail should be running
as the user it's meant to deliver the mail for. for this to happen
sendmail needs to start it as that user in step 3 and to do that it
needs extra privs, above and beyond that of a normal user.

Now as I said, I'm not a UNIX God[tm] and so I may well be missing something
vital. If so, what is it? This sounds like something that would be way
useful to learn. :)

-- 
CaT (cat@zip.com.au)		*** Jenna has joined the channel.
				<cat> speaking of mental giants..
				<Jenna> me, a giant, bullshit
				<Jenna> And i'm not mental
					- An IRC session, 20/12/2000

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alan Cox]

> 1. email -> sendmail
> 2. sendmail figures out what it has to do with it. turns out it's deliver
...

> Now, in order for step 4 to be done safely, procmail should be running
> as the user it's meant to deliver the mail for. for this to happen
> sendmail needs to start it as that user in step 3 and to do that it
> needs extra privs, above and beyond that of a normal user.

	email -> sendmail
	sendmail 'its local' -> spool

user:
	get_mail | procmail
	mutt

The mail server doesnt need to run procmail. If you wanted to run mail batches
through on a regular basis you can use cron for it, or leave a daemon running

	

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alex Riesen]

On Tue, Apr 24, 2001 at 04:53:10PM +0100, Alan Cox wrote:
> > 1. email -> sendmail
> > 2. sendmail figures out what it has to do with it. turns out it's deliver
> ...
> 
> > Now, in order for step 4 to be done safely, procmail should be running
> > as the user it's meant to deliver the mail for. for this to happen
> > sendmail needs to start it as that user in step 3 and to do that it
> > needs extra privs, above and beyond that of a normal user.
> 
> 	email -> sendmail
> 	sendmail 'its local' -> spool
Isn't this a good thing to have spam filtered out before it will be
written in spool?

Alex Riesen

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Jesse Pollard]

---------  Received message begins Here  ---------

> 
> > 1. email -> sendmail
> > 2. sendmail figures out what it has to do with it. turns out it's deliver
> ...
> 
> > Now, in order for step 4 to be done safely, procmail should be running
> > as the user it's meant to deliver the mail for. for this to happen
> > sendmail needs to start it as that user in step 3 and to do that it
> > needs extra privs, above and beyond that of a normal user.
> 
> 	email -> sendmail
> 	sendmail 'its local' -> spool
> 
> user:
> 	get_mail | procmail
> 	mutt
> 
> The mail server doesnt need to run procmail. If you wanted to run mail batches
> through on a regular basis you can use cron for it, or leave a daemon running

And get_mail must have elevated privileges to search for the users mail...
or sendmail must have already switched user on reciept to put it in the
users inbox which also requires privleges...

And an additional daemon (owned by the user) is yet another attack point...

Cron could be used to batch message handling... as long as it runs before
the users quota is used up. This becomes the same as using IMAP or fetchmail
to download it.

It's much more efficent to process each mail as it arrives.

All this does is move the program that requires privileges to somewhere
else. It doesn't eliminate it.

Granted, sendmail could use a better implementation of a security model.

-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alan Cox]

> And get_mail must have elevated privileges to search for the users mail...
> or sendmail must have already switched user on reciept to put it in the
> users inbox which also requires privleges...

No. Think instead of blindly following existing implementation

	socket(AF_UNIX, SOCK_STREAM, 0);
	connect("/var/run/mailservice");
	write("GIMMEMYMAIL\n");
	read("200 CATCH..");
	read(all my mail)

The daemon needs no priviledge. The client needs no priviledge. The 
PEERCRED authentication on AF_UNIX sockets does the work. I can even pass you
back the file handle of the mailbox if I was using an old style non database
indexed mail spool.

> It's much more efficent to process each mail as it arrives.

You are doing a lot more exec() calls that way. If you get enough mail
to make spool space an issue you want a daemon.

Alan

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Markus Schaber]

Hello,

On Tue, 24 Apr 2001, Alan Cox wrote:

> > Now, in order for step 4 to be done safely, procmail should be running
> > as the user it's meant to deliver the mail for. for this to happen
> > sendmail needs to start it as that user in step 3 and to do that it
> > needs extra privs, above and beyond that of a normal user.
>
> 	email -> sendmail
> 	sendmail 'its local' -> spool
>
> user:
> 	get_mail | procmail
> 	mutt
>
> The mail server doesnt need to run procmail. If you wanted to run mail batches
> through on a regular basis you can use cron for it, or leave a daemon running

Oh, well, cron is just another suid program.

This example would just be the ideal scenario for posix- or novell-style
ACLs in the filesystem.

You run the MDA/MTA under some mailerdaemon uid. And then a user can
explicitly give this daemon read access to .procmail etc. You can also
give the MTA (and nobody else) write access to /var/spool/mail. The MDA
then gives the specifical user full access to the spoolfile when creating
it, or adding mail to it. And the user can fetch his mail and truncate or
delete the file just as he and his software is used to.

There are much more things with ACLs, especially in workgroup environments
(That's why I loved the old Novel server in our university), but they
never got into the kernel.  And as far as I (as a non-hacker) understand,
the fields reserved for this feature were dropped for the large file
support, so we may never see ACLs.

Gruß,
Markus
-- 
| Gluecklich ist, wer vergisst, was nicht aus ihm geworden ist.
+---------------------------------------.     ,---------------->
http://www.uni-ulm.de/~s_mschab/         \   /
mailto:markus.schaber@student.uni-ulm.de  \_/

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Gábor Lénárt]

On Tue, Apr 24, 2001 at 03:18:11PM +0100, Alan Cox wrote:
> > On Tue, 24 Apr 2001, Mohammad A. Haque wrote:
> > > Correct. <1024 requires root to bind to the port.
> > ... And nothing says that it should be done by daemon itself.
> 
> Or that you shouldnt let inetd do it for you
> And that you shouldn't drop the capabilities except that bind
> 
> It is possible to implement the entire mail system without anything running
> as root but xinetd.

Or even without xinetd. Just use local port forwarding eg 2525 -> 25, and
use port 2525 as SMTP port in your MTA. I've succeed to setup such a
configuration.

-- 
 --[ Gábor Lénárt ]---[ Vivendi Telecom Hungary ]---------[ lgb@lgb.hu ]--
 U have 8 bit comp or chip of them and it's unused or to be sold? Call me!
 -------[ +36 30 2270823 ]------> LGB <-----[ Linux/UNIX/8bit 4ever ]-----

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Pjotr Kourzanoff]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: TEXT/PLAIN; charset=X-UNKNOWN, Size: 556 bytes --]

On Tue, 24 Apr 2001, [iso-8859-2] Gábor Lénárt wrote:
>
> Or even without xinetd. Just use local port forwarding eg 2525 -> 25, and

  This is more like 25 -> 2525 :-)

> use port 2525 as SMTP port in your MTA. I've succeed to setup such a
> configuration.

  This requires you to ensure that your MTA is started first on that
  port...Might be difficult to achieve reliably in an automatic way
  without root privileges :-(

  mailuser@foo% /etc/rc.d/init.d/sendmail stop
  badguy@foo% ./suck 2525
  mailuser@foo% /etc/rc.d/init.d/sendmail start
  ...

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Gábor Lénárt]

On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote:
> On Tue, 24 Apr 2001, [iso-8859-2] Gábor Lénárt wrote:
> >
> > Or even without xinetd. Just use local port forwarding eg 2525 -> 25, and
> 
>   This is more like 25 -> 2525 :-)

OK, that was a hard night for me, I need some sleeeeeep :)

> > use port 2525 as SMTP port in your MTA. I've succeed to setup such a
> > configuration.
> 
>   This requires you to ensure that your MTA is started first on that
>   port...Might be difficult to achieve reliably in an automatic way
>   without root privileges :-(
> 
>   mailuser@foo% /etc/rc.d/init.d/sendmail stop
>   badguy@foo% ./suck 2525
>   mailuser@foo% /etc/rc.d/init.d/sendmail start

Yes, you're right. But this is a mail server without any user on it
(even users are authenticated from LDAP).

-- 
 --[ Gábor Lénárt ]---[ Vivendi Telecom Hungary ]---------[ lgb@lgb.hu ]--
 U have 8 bit comp or chip of them and it's unused or to be sold? Call me!
 -------[ +36 30 2270823 ]------> LGB <-----[ Linux/UNIX/8bit 4ever ]-----

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[CaT]

On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote:
> > use port 2525 as SMTP port in your MTA. I've succeed to setup such a
> > configuration.
> 
>   This requires you to ensure that your MTA is started first on that
>   port...Might be difficult to achieve reliably in an automatic way
>   without root privileges :-(
> 
>   mailuser@foo% /etc/rc.d/init.d/sendmail stop
>   badguy@foo% ./suck 2525
>   mailuser@foo% /etc/rc.d/init.d/sendmail start

Not necessarily. While I have no yet used the feature, iptables
permits firewalling on userid. I presume this includes wether or
not a program can listen on a port, right? (and all the other
fun things).

If so then all you'd have to do is deny external access to port 2525
and only permit mailuser to listen etc on it and you're set.

-- 
CaT (cat@zip.com.au)		*** Jenna has joined the channel.
				<cat> speaking of mental giants..
				<Jenna> me, a giant, bullshit
				<Jenna> And i'm not mental
					- An IRC session, 20/12/2000

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Pjotr Kourzanoff]

On Wed, 25 Apr 2001, CaT wrote:

> On Tue, Apr 24, 2001 at 04:49:57PM +0200, Pjotr Kourzanoff wrote:
> > > use port 2525 as SMTP port in your MTA. I've succeed to setup such a
> > > configuration.
> >
> >   This requires you to ensure that your MTA is started first on that
> >   port...Might be difficult to achieve reliably in an automatic way
> >   without root privileges :-(
> >
> >   mailuser@foo% /etc/rc.d/init.d/sendmail stop
> >   badguy@foo% ./suck 2525
> >   mailuser@foo% /etc/rc.d/init.d/sendmail start
>
> Not necessarily. While I have no yet used the feature, iptables
> permits firewalling on userid. I presume this includes wether or

  man iptables.

> not a program can listen on a port, right? (and all the other
> fun things).
>
> If so then all you'd have to do is deny external access to port 2525
> and only permit mailuser to listen etc on it and you're set.

  For this to work, you need to hack up iptables on the mail server
  itself as -m owner only works for locally generated packets. And
  even then ./suck will receive on 2525 but will not be able to reply.

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Gerhard Mack]

On Tue, 24 Apr 2001, Alan Cox wrote:

> > On Tue, 24 Apr 2001, Mohammad A. Haque wrote:
> > > Correct. <1024 requires root to bind to the port.
> > ... And nothing says that it should be done by daemon itself.
> 
> Or that you shouldnt let inetd do it for you
> And that you shouldn't drop the capabilities except that bind
> 
> It is possible to implement the entire mail system without anything running
> as root but xinetd.
> 
Qmail does exactly this afik.  

I've always found the root < 1024 to be quite limmited and find myself
wishing I could assign permissions based on ip/port. 

	Gerhard

 

--
Gerhard Mack

gmack@innerfire.net

<>< As a computer I find your faith in technology amusing.

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alan Cox]

> I've always found the root < 1024 to be quite limmited and find myself
> wishing I could assign permissions based on ip/port. 

Its been done. Search for 'sockfs' I believe it was called.

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alexander Viro]

On Tue, 24 Apr 2001, Tomas Telensky wrote:

> of linux distributions the standard daemons (httpd, sendmail) are run as
> root! Having multi-user system or not! Why? For only listening to a port
> <1024? Is there any elegant solution?

Sendmail is old. Consider it as a remnant of times when network was
more... friendly. Security considerations were mostly ignored - and
not only by sendmail. It used to be choke-full of holes. They were
essentially debugged out of it in late 90s. It seems to be more or
less OK these days, but it's full of old cruft. And splitting the
thing into reasonable parts and leaving them with minaml privileges
they need is large and painful work.

There are alternatives (e.g. exim, or two unmentionable ones) that are
cleaner. Besides, there are some, erm, half-promises that next major
release of sendmail may be a big cleanup. Hell knows what will come out
of that.

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Tomas Telensky]

On Tue, 24 Apr 2001, Alexander Viro wrote:

> 
> 
> On Tue, 24 Apr 2001, Tomas Telensky wrote:
> 
> > of linux distributions the standard daemons (httpd, sendmail) are run as
> > root! Having multi-user system or not! Why? For only listening to a port
> > <1024? Is there any elegant solution?
> 
> Sendmail is old. Consider it as a remnant of times when network was
> more... friendly. Security considerations were mostly ignored - and
> not only by sendmail. It used to be choke-full of holes. They were
> essentially debugged out of it in late 90s. It seems to be more or
> less OK these days, but it's full of old cruft. And splitting the
> thing into reasonable parts and leaving them with minaml privileges
> they need is large and painful work.

Thanks for the comment. And why not just let it listen to 25 and then
being run as uid=nobody, gid=mail?
  Tomas

> 
> There are alternatives (e.g. exim, or two unmentionable ones) that are
> cleaner. Besides, there are some, erm, half-promises that next major
> release of sendmail may be a big cleanup. Hell knows what will come out
> of that.
> 

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Alexander Viro]

On Tue, 24 Apr 2001, Tomas Telensky wrote:

> Thanks for the comment. And why not just let it listen to 25 and then
> being run as uid=nobody, gid=mail?

Handling of .forward, for one thing. Or pipe aliases, or...

None of this stuff is unsolvable (e.g. handling of .forward belongs to
MDA, not MTA), but changing that will break existing setups.

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[David Gómez]

On Tue, 24 Apr 2001, Tomas Telensky wrote:

> 
> But, what I should say to the network security, is that AFAIK in the most
> of linux distributions the standard daemons (httpd, sendmail) are run as
> root! Having multi-user system or not! Why? For only listening to a port
> <1024? Is there any elegant solution?
> 

httpd as root ? that's what i call a clueless network admin.
sendmail has an OBSOLETE design. Use a good MTA like qmail. Exim or
smail are ok, but they're still "sendmailish".


David Gómez

"The question of whether computers can think is just like the question of
 whether submarines can swim." -- Edsger W. Dijkstra

Re: [OFFTOPIC] Re: [PATCH] Single user linux

[Ben Ford]

Tomas Telensky wrote:

<snip>

>But, what I should say to the network security, is that AFAIK in the most
>of linux distributions the standard daemons (httpd, sendmail) are run as
>root! Having multi-user system or not! Why? For only listening to a port
><1024? Is there any elegant solution?
>

Yes, most daemons have the ability to switch user ID once they have 
bound tho the port.  Additionally, support is starting to show up for 
capabilities.  I know that ProFTPD has support.  Now, assuming it is 
running on a newer kernel, it never needs to be root, because it has 
been granted the capability to open a low port.  Even if it is cracked, 
it cannot do other things like . . . insert a kernel module, . . . 
overwrite /etc/passwd . . . . . etc

-b

-- 
Three things are certain:
Death, taxes, and lost data
Guess which has occurred.
- - - - - - - - - - - - - - - - - - - -
Patched Micro$oft servers are secure today . . . but tomorrow is another story!