Roger Merchberger writes:
> Personally, I'm not interested in religious claims that run-time
> configuration is evil; tho that's all I've seen so far from you.
I've said nothing of the sort. I'm simply asking what the benefits are.
You don't understand why I want adequate justification before I add code
to security-critical programs?
Let's consider, for example, the patch that people are asking me to use,
making qmail-lspawn run qmail-getpw as the uid that owns
/var/qmail/owners/uidp, rather than as a compiled-in qmailp uid.
What happens if there's a security hole in getpwnam(), on a UNIX system
that allows file giveaways?
With this patch, the attacker breaks into qmail-getpw, then changes the
owner of /var/qmail/owners/uidp to root, then breaks into root, then has
complete control over your system. The security barrier around root has
been breached.
Don't bother saying how the patch can be fixed. That's not the point.
Screwing around with root code is dangerous. If I ask ``why?'' then you
need a better answer than ``why not?''
> As it sits, a RedHat rpm is nearly (if not totally) impossible
Not at all. See http://pobox.com/~djb/qmail/var-qmail.html.
> vendors aren't willing to convert to qmail because of that.
Several turnkey system vendors have converted to qmail.
The basic problem with Redhat is that Donnie Barnes says he won't ship
software that he doesn't control (``own'' in Eric Raymond's language).
Changing the uid handling would not meet his demands.
> How about simple, dynamic reconfiguration without the need to recompile.
When's the last time you reconfigured your system uids? You have to take
the system down and do a massive file conversion. Why is it such a big
deal to reinstall qmail on these rare occasions?
---Dan
