Re: sendmail

From: Jason (jason02@thechambers.us)
Date: 04/20/03


From: Jason <jason02@thechambers.us>
Date: Sun, 20 Apr 2003 12:10:57 -0700

This is a VERY good point! Can somebody tell me why there is not a
configuration file that would allow us to assign owners and groups to
ports under 1024?

This really doesn't seem too difficult! And after that Linux would
simply need to check if the user requesting to listen on port 24 is
the owner or in the group assigned to that port! This would really
help fix a LOT of issues!

~~~~~~~~~~~~~~~
Jason
<a href="http://www.erentpayer.com">www.erentpayer.com</a>

On Sun, 20 Apr 2003 10:46:00 +0000, Andrzej Filip <anfi@Box43.pl>
wrote:

>Nico Kadel-Garcia wrote:
>> Andrzej Filip wrote:
>>> Chris Cox wrote:
>>>> Michael Heiming wrote:
>>>> ...
>>>>> I'd prefer to do this with upgrading to 8.12.9, hope there's now some
>>>>> silence, 2 security related updates in this year should be enough.;(
>>>>
>>>> A good QA person will tell you that two problems found in rapid
>>>> succession is NOT a good sign for the short term. My guess is
>>>> that there are several more problems to be found in a similar
>>>> vein as the two recent hits. Given the history of the product,
>>>> it's likely there are more major security issues left to be
>>>> uncovered in the mid-long term.
>>>
>>> The two CRITICAL vulnerabilities survived MANY years undetected - it
>>> makes the problem even worse.
>>
>> And the problems were quite subtle. Other MTA's, being closed source or
>> much newer, may have other such subtleties in their own code that have
>> not yet been exposed.
>
>I am 95% percent sure that some even more subtle vulnerability in another open
>source MTA is going to be detected in next few years :-)
>There is a big chance that similar problems in "closed source" MTAs are
>routinely "swept under carpet" and fixed silently in a minor upgrade without
>being exposed to general public [there is no way to be sure].
>
>But the two problems have pushed "sendmail security" into defensive positions
>(again) after a few years of perceived improvement.
>
>>>> I not advocating postfix, exim or (gulp) qmail, but it might be
>>>> a good time to explore the alternatives. Some of sendmail's
>>>> obvious problems are caused by the ubiquity of the platform
>>>> (popular packages get hit harder via testing and live scenarios).
>>>> KISS products are generally a better fit whenever possible.
>>>
>>
>> When possible, yes. But sendmail is:
>>
>> 1: Heavily user tested
>> 2: Amazingly cross-platform
>> 3: Has an extremely large available feature set with extremely
>> granular control of that feature set.
>>
>> Those are going to be very tough to beat. The "heavily user tested"
>> alone means that it has operated at plenty of sites with more than
>> 10,000 clients, or more than 100,000 messages a day, and survived
>> multiple system upgrades since its installation. That kind of real-world
>> testing is hard to duplicate.
>>
>> Wait 10 years for postfix to suffer from "one more feature" and "one
>> more platform" development and see how well its security stands up. It
>> may stand up well, but I'll be very curious to see.
>>
>>> FYI: sendmail 9 is under development [total redesign].
>>
>> I'm hearing "different licensing", too.
>
>Could you post some relevant links ?
>
>P.S.
>Because the group is named comp.os.LINUX.security we should think how to make
>linux kernel more "application security" friendly by reducing number of tasks
>which require root privileges
>e.g. allowing listening on a port<1024 by non root user
>[e.g. allowing user "mta" to listen on port smtp (25)]



Relevant Pages