On Wednesday, July 2, 2003, at 10:46 AM, Serge Knystautas wrote:
Santiago Gala wrote:I think a good equilibrium point between the "marketing" view of security (making sysadms trust) and purist java technical view would be to allow James not having to run as root under Unix (to handle protected ports like 25, 110, etc.) and then securing the rest of the processing through java security declarations.
Since people here know qmail and sendmail a lot better than I do... how do they bind to those ports without running as root?
A guiding principal of qmail is no process should do more than the absolute minimum and it certainly shouldn't have any more rights than the absolute minimum. Living up to those principals demands having lots of user accounts, each with exactly the minimum number of rights, and then using fork to create safe bubbles - you setting the user before forking to create the bubbles, and then cleverly passing just the right stuff to these processes to give them the right capabilities. So for example a process that's root has the right to create a listener, but that process can then fork a process passing it that listener to give the capability to process/user with much more restricted rights.
We used to have a patch for HTTP that allowed a short lived root process to create the HTTP listener and then pass that open file handle to the server (notifying it were to find it via a parameter). That enabled the entire server to run in user space. It fell off the wagon at some point.
I know nothing about sendmail, makes you jealous doesn't it?
- ben
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
