From: Jesse Pollard <pollard@tomcat.admin.navo.hpc.mil>
To: linux-kernel@vger.kernel.org
Subject: Re: [OFFTOPIC] Re: [PATCH] Single user linux
Date: Tue, 24 Apr 2001 10:11:06 -0500 (CDT) [thread overview]
Message-ID: <200104241511.KAA22256@tomcat.admin.navo.hpc.mil> (raw)
Tomas Telensky <ttel5535@ss1000.ms.mff.cuni.cz>
> On Tue, 24 Apr 2001, Alexander Viro wrote:
> > On Tue, 24 Apr 2001, Tomas Telensky wrote:
> >
> > > of linux distributions the standard daemons (httpd, sendmail) are run as
> > > root! Having multi-user system or not! Why? For only listening to a port
> > > <1024? Is there any elegant solution?
> >
> > Sendmail is old. Consider it as a remnant of times when network was
> > more... friendly. Security considerations were mostly ignored - and
> > not only by sendmail. It used to be choke-full of holes. They were
> > essentially debugged out of it in late 90s. It seems to be more or
> > less OK these days, but it's full of old cruft. And splitting the
> > thing into reasonable parts and leaving them with minaml privileges
> > they need is large and painful work.
Actually, if you view sendmail as being an expert system it is very
cutting edge :-) It can identify a user from very skimpy data if it
is allowed to (fuzzy matching user names). It identifies local hosts
(with FQDN or partial name, or only host name).
> Thanks for the comment. And why not just let it listen to 25 and then
> being run as uid=nobody, gid=mail?
Because then everybodys mail would be owned by user "nobody".
There are some ways to do this, but they are unreliable.
1. If the users mail is delivered to /var/mail/<username>; then the
file /var/mail/<username> must always exist.
This requires ALL MUAs to truncate the file.
Some MUAs use file existance to determine if there is new mail.
If it doesn't exist, then no new mail... ever.
2. sendmail will not be able to create the /var/mail/<username> mail box.
3. sendmail will not be able to process forwarding mail.
User nobody should not be able to read files in users home
directory... .forward files are private to the user...
4. sendmail will not be able to process user mail filters (same problem
as forwarding).
Note: these filters are applied on receipt of mail (saves time and
disk space since the filter can discard mail immediately or put it
in appropriate folders immediately).
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil
Any opinions expressed are solely my own.
next reply other threads:[~2001-04-24 15:11 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-04-24 15:11 Jesse Pollard [this message]
-- strict thread matches above, loose matches on Subject: below --
2001-04-24 11:44 [PATCH] Single user linux imel96
2001-04-24 12:52 ` [OFFTOPIC] " Mike A. Harris
2001-04-24 13:18 ` Tomas Telensky
2001-04-24 13:34 ` Mohammad A. Haque
2001-04-24 13:40 ` Alexander Viro
2001-04-24 14:18 ` Alan Cox
2001-04-24 14:22 ` Alexander Viro
2001-04-24 14:37 ` Alan Cox
2001-04-24 14:41 ` Alexander Viro
2001-04-24 14:47 ` CaT
2001-04-24 14:59 ` Alan Cox
2001-04-24 15:11 ` CaT
2001-04-24 15:53 ` Alan Cox
2001-04-24 16:04 ` Alex Riesen
2001-04-24 17:02 ` Jesse Pollard
2001-04-24 17:16 ` Alan Cox
2001-04-24 17:30 ` Markus Schaber
2001-04-24 14:30 ` Gábor Lénárt
2001-04-24 14:49 ` Pjotr Kourzanoff
2001-04-24 14:56 ` Gábor Lénárt
2001-04-24 14:59 ` CaT
2001-04-24 15:17 ` Pjotr Kourzanoff
2001-04-24 14:50 ` Gerhard Mack
2001-04-24 15:00 ` Alan Cox
2001-04-24 13:37 ` Alexander Viro
2001-04-24 13:52 ` Tomas Telensky
2001-04-24 14:07 ` Alexander Viro
2001-04-24 19:03 ` David Gómez
2001-04-25 5:26 ` Ben Ford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200104241511.KAA22256@tomcat.admin.navo.hpc.mil \
--to=pollard@tomcat.admin.navo.hpc.mil \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox