Varad,
I may be talking out of turn as I am fairly new to Postfix, but I think
we need to distinguish between a *practical* risk and a *theoretical* risk.
Theoretically, any software that runs as root, sufficiently attacked,
could be used to compromise an entire system. The sufficient attack
would simply be arbitrary native code injection (the worst and hardest
kind of attack, but always a theoretical risk.)
However, that does not mean the root user, and by extension root-owned
processes, is fundamentally toxic. By reducto ad absurdum, the root user
shouldn't exist at all!
Practically speaking, what Postfix does much better than sendmail (among
other things) is reduce the amount of *time* and *code* and *scope of
operation* over which superuser privileges are used. This is
accomplished with a modular design that quickly dispatches to lower
privilege modes to actually do anything, like process untrusted input,
write or delete a file, or send a message.
More experienced admins, please confirm with acknowledgements and/or
refinements of this.
-Daniel
On 1/30/2011 9:32 PM, varad gupta wrote:
Thanx for all the replies - I now understand the reason for master
daemon to run with superuser privileges. They were really helpful.
But then, is postfix not running the same risk as "sendmail" ?
As a student, I was told that sendmail is a single monolithic binary,
performing all its functions as superuser; therefore if an attacker
could control the sendmail process, he/she would have superuser
access.
Does it mean, that unless run in a chroot environment, postfix is
susceptible to the same risks as sendmail and gives an attacker
capability of causing similar damage (despite having a far better
system of tasks divided amongst various unprivileged processes
designed to perform specific tasks) ?
Regards
On Sun, Jan 30, 2011 at 11:47 PM, Victor Duchovni
<[email protected]> wrote:
On Sun, Jan 30, 2011 at 05:22:39PM +0530, varad gupta wrote:
Is it not a risk running master as root (the same reason for running
other processes as unprivileged) ?
No, quite the opposite. It takes privileges to "drop" privileges. A well
designed system (such as Postfix) is *more* secure by in part using root
privileges to enable it to operate in multiple security contexts.
My short maxim for this is indebted to a marketing campaign:
http://en.wikipedia.org/wiki/Frank_Perdue
"it takes a tough man to make a tender chicken"
By which I mean that you sometimes need higher privileges to optimally
use lower privileges.
--
Viktor.
