On Thu, May 13, 2004 at 10:44:36PM +0200, Paul J Stevens wrote: > Sorry Dan, but you'r wrong again: > > #> ps|grep postfix > > root 874 0.0 0.3 2756 816 ? Ss May11 0:00 > /usr/lib/postfix/master > postfix 878 0.0 0.6 5900 1600 ? S May11 0:00 qmgr -l > -t fifo -u -c > postfix 20510 0.0 0.7 5880 2040 ? S 21:41 0:00 pickup -l > -t fifo -u -c > > Postfix uses a master process running as root to spawn seperate setuid > programs. > > You are correct in seeing network server running uid root as potentially > exploitable. But best practice as shown by apache, postfix and mysql for > that matter is to run a single limitedly scoped process that forks, > spawns or begets in any conceivable fashion some seperate or forked > processes with reduced privileges.
Since we don't have anything that needs root, we should not be using it. MySQL, Apache, and Postfix are storing user access passwords in logs. They need their logs to be owned by root. Otherwise, an attacker could gain all sorts of access with their logs. Apache also uses it for its reload stuff. Its best to not take chances, when you don't need to take them. -- Dan Weber
signature.asc
Description: Digital signature
