"Jason Brooke" <[EMAIL PROTECTED]> writes:
> > If you run qmail-smtpd directly from inetd.conf, as suggested in the
> > INSTALL file distributed with qmail-1.03, then there is a pretty good
> > chance that the instance of qmail-smtpd being attacked will grow to
> > eat of all of memory. What happens then depends upon your OS. On
> > GNU/Linux, a random process will be killed; there is a pretty good
> > chance that the random process will be the large qmail-smtpd.
> > Alternatively, a careful attacker who really understands your system
> > can create several fairly large qmail-smtpd processes and
> > significantly increase the chance that the random process which is
> > killed will be something other than qmail-smtpd. In this scenario
> > this attack can indeed be a denial of service.
>
> actually for what it's worth, if you follow the directions in INSTALL you
> should generally hit the 'read FAQ' before getting down to the section of
> INSTALL that says to use inetd (for upgrading from sendmail) :)
>
> FAQ pretty much points you at tcpserver
I would say that that is a mere quibble, except that it isn't even
that. It isn't tcpserver which prevents qmail-smtpd from growing
without bound; it is softlimit. softlimit isn't mentioned in the
INSTALL file or the FAQ which is distributed with qmail 1.03. The
daemontools are mentioned, but not in the context of resource limits.
Obviously there isn't anything wrong with qmail. And obviously these
bug reports are highly misleading in implying that there is a bug
which needs to be fixed in qmail. But I do think that the bug reports
have a point: if you install qmail-1.03 according to a reasonable
reading of the instructions which come with the tar file, your system
may be vulnerable to a theoretical denial of service attack. The fact
that other people tell you to install qmail in a different way is
interesting, but does not change the fact that qmail-1.03 comes with
installation instructions which at least some people will naturally
follow. I certainly did in my first qmail installation.
Dan could fix this by releasing qmail-1.03.1 with different
installation instructions. Of course, if he did, some people would
take that to be an admission that there actually is a security hole in
qmail-1.03.
Ian
