Re: crashme crashes 2.0.20 with guarantee :-(

Olaf Titz (olaf@bigred.inka.de)
29 Sep 1996 18:29:32 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bryn Paul Arnold Jones: "Re: tcpdump on 2.0.21"
Previous message: M Shariful Anam: "Re: Problem in compiling kernel"

Boris Tobotras <tobotras@jet.msk.su> wrote:
> It _is_ kernel design, sorry. sendmail _must_ run as root, at least

It is user-level design. Two tiny portions of sendmail must run as
root, not hundreds of kilobytes of unintelligible code. The error lies
in sendmail being monolithic.

> for two reasons: first, it have to have root privileges to bind to smtp
> port. (This can be fixed by partial redesign, something like

...something like socket(...); bind(...); setuid(...). INN does this.

> Second is much worse: I definitely want to keep current ability for
> sendmail to run programs on behalf on me (via .forward), and I don't see an
> easy way to enable this without having root privs.

But you can confine the root privs to a small section of code that
essentially does nothing but filter its parameters for sanity, assume
the right UID and call the delivering agent.

> Of course, in particular case of sendmail program can be split into
> several, but this will make hole smaller, not eliminating it at all...

Has been done, look at qmail. This has been designed with the "minimum
privilege" principle in mind. Of the 13500 lines of (extremely dense)
C code, only 219 ever see UID 0. (Counts as of qmail 0.90)
This does not elimitate all potential sources for problems, but makes
the _potential_ holes small enough for humans to find by analyzing the
code.

Similar arguments hold for many programs. Look at everything that is
running as root and try to analyze what it really needs privileges
for. E.g., you don't need to run your average svgalib program as root
at all. Call it via a wrapper that sets up the I/O permissions and
switches UIDs (such a program, named ioperm, can be found on my web
pages). HTTP daemons don't need root for anything else than binding to
port 80. The "ping" and "traceroute" programs are setuid root, but
relinquish their privileges as soon as they have opened the socket (at
least newer versions). Etc.

The kernel issue is that we don't have a finer-grained permission
scheme. But with careful user mode design, this problem can at least
be alleviated.

olaf

-- 
___        Olaf.Titz@inka.de or @{stud,informatik}.uni-karlsruhe.de       ____
__ o           <URL:http://www.inka.de/~bigred/>     <IRC:praetorius>
__/<_              >> Just as long as the wheels keep on turning round
_)>(_)______________ I will live for the groove 'til the sun goes down << ____

Next message: Bryn Paul Arnold Jones: "Re: tcpdump on 2.0.21"
Previous message: M Shariful Anam: "Re: Problem in compiling kernel"