Christian Franke:
> >> http://chrfranke.no-ip.org/cygwin/postfix-2.11.3-1.src.patch
> >> Shouldn't break builds on other platforms. This was tested on Debian.
> > Generally, this patch skips crucial security/safety features that
> > are difficult to enforce through a POSIX-on-Windows API. I see no
> > enforcement of uid/gid separation (permission checks are made in
> > the program itself instead of in the OS kernel, uid/gid numbers are
> > passed in an environment variable instead of being protected by the
> > OS kernel), weak or no enforcement of directory/file/socket
> > permissions,
>
> This is not the case.
>
> Cygwin does a good job mapping POSIX users/groups/permissions to Windows
> users/groups/ACLs. Its setuid() emulation actually performs user context
> switching.
I was looking at code like this:
+int cygwin_setuid(uid_t uid)
+{
+ init();
+ if (!uid && emul_ruid) {
+ MSG_DEBUG("setuid(%u): EPERM", uid);
+ errno = EPERM;
+ return -1;
+ }
This code restricts privilege manipulations in userland, instead
of protected OS kernel space.
> https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid-overview
>
> Like Cygwin's crond and sshd, the postfix master runs under a privileged
> Windows user account (default "cyg_server").
Your patch says none of that, and as far as I can tell there is
nothing in your patch code that actually enforces that things are
set up in a particular manner.
No enforcement of private socket access permissions.
> > and no enforcement of file size limits.
>
> Yes. Unfortunately Cygwin does not implement RLIMIT_FSIZE because
> (AFAIK) there is no equivalent in the Win32 API.
>
> And yes, there are other aspects which differ from POSIX systems.
That's why I would not rely on the POSIX subset that can be
supported by Windows.
> > To run Postfix on Windows, I suggest using a VM with BSD or Linux,
> > or doing a proper port. The port would abstract out Postfix
> > security/safety features and provide different translation layers
> > for POSIX and Windows environments (instead of emulating a POSIX
> > subset on Windows)
>
> A first step for a translation layer would be to replace all (uid == 0)
> checks by something like (is_privileged_uid(uid)). I actually tried this
> but dropped this approach for now because there are so many of such
> checks in postfix :-)
Indeed, Postfix was written to make the "best" out the limited
security that UNIX and C had to offer (50% of the code is a layer
on top of libc). I think that making the "best: out of Windows
security requires more than finding POSIX equivalents. Windows has
a different attack surface, and all the holes need to be plugged.
Wietse
