Date: 20 Dec 1998 17:33:47 -0000
Message-ID: <19981220173347.8783.qmail@cr.yp.to>
Mail-Followup-To: qmail@list.cr.yp.to
From: "D. J. Bernstein" <djb@cr.yp.to>
To: qmail@list.cr.yp.to
Subject: Anonymous postfix denial of service, snooping, theft, mailbombing
References: <0d1701be27ec$638d91e0$1d01a8c0@fishtank> <Pine.BSI.3.96.981215004607.1554F-100000@ns2.michweb.net> <13944.8162.70437.741992@non.non.net> <ylg1afzlrv.fsf@windlord.stanford.edu>

Russ Allbery writes:
> So far as I can tell, neither qmail nor Postfix is really superior in
> the sense of basic design; some different approaches were taken
> between them, but the differences don't seem massively significant to me.

Consider, for example, the fact that the IBM ``Secure'' Mailer says it
requires a world-writable directory for users to drop off messages.

Nothing stops a user from listing the contents of the drop directory---
the filenames are easily guessable---to see uids and sizes of outgoing
mail. It doesn't matter how well you've protected your process list and
mail log; the queue is unprotected. The user has to win a race with the
queue sweeper, of course, but he can easily do this by creating
thousands of extra files in the drop directory, and removing them when
he's done snooping.

Even worse, nothing stops a user from making some hard links to another
user's files in the drop directory. postfix refuses to deliver a file
with more than one link. There is no way to identify the culprit.

(In the security community, the standard solution to that problem is to
avoid world-writable directories. For example, if a user puts temporary
files into $HOME/tmp, and there are no world-writable directories on the
$HOME filesystem, then there's no place for an attacker to put an
anonymous hard link. I also think that link() should be prohibited for
people other than the file owner; but that's not how UNIX works today.)

Furthermore, on systems that allow file giveaways, nothing stops a user
from creating thousands of messages in the postfix drop directory under
another user's name. Again, there is no way to identify the culprit. All
the logs will blame the wrong user.

Finally, if a user sets up a mode-700 file in a world-readable directory
on the same filesystem as the postfix drop directory, then an attacker
can try linking the file into the drop directory. If the first user
removes the file, and if the file happens to have the right structure
for an outgoing postfix message, then postfix will go ahead and mail it!

Why doesn't postfix use a protected queue, and a setuid program to add a
message to the queue with guaranteed user identification? The postfix
documentation says that this is a security feature! ``No Postfix program
is set-uid. Introducing the concept was the biggest mistake made in UNIX
history. Set-uid (and its weaker cousin, set-gid) causes more trouble
than it is worth. ...''

Certainly setuid programs require a great deal of care. They've been
involved in many security disasters, though certainly not as many as
world-writable directories. The security community would love to see
another portable IPC mechanism offering guaranteed user identification.
However, while we're waiting, we need a few setuid programs.

---Dan