Re: mail.local vs. Smail3

[Louis Bertrand <louis@signalpath.on.ca>]

On Mon, 4 Jan 1999, Theo de Raadt wrote:

> > I would like to make changes to the way OpenBSD delivers and stores mail.
> > It's silly and needlessly paranoid to insist that mail.local run as root.
> > Instead, the files in the mail spool directory (/var/mail/<user>) should 
> > have gid=mail and run mail.local with gid mail and uid nobody (as Smail
> > prefers).
> 
> Considering all the problems that come from having the spool operate
> under another gid (various NFS cooperation issues and such), what are
> the supposed security benefits which you see from running the spool as
> non-root?

If mail.local can run in non-privileged mode and still get the job done,
why force it to be root? The code may have been scrubbed for holes
recently but there's no garantee that future changes will preserve the
integrity (the project doesn't have armies of developers).

NFS cooperation issues are no harder or easier with root vs. another GID.
With root you need to pay attention to root privileges in the NFS exports
files, with a new GID, you have to sync your groups files across the
network (disregarding NIS). It's 50-50.

> 
> Because, to be honest, I don't see any benefits.
> 
The benefits: the mailer (in this case Smail3) doesn't need to start yet
another root process. Smail3 prefers to be cautious when delivering and
will revert to user=nobody under well defined circumstances. I had to hack
my configuration to bypass all the checks and force the pipe process to
be launched as root.

I'll cheerfully admit that my scheme may not be the best approach. One
alternative I like would favour placing the individual mailboxes in the
user's home directory, somewhat like DJB's Qmail, but shipping with that
configuration is likely to confuse people even more...

Ultimately, I'm trying to make sure that we balance usability and
security.

Ciao!
 --Louis

Louis Bertrand, Bowmanville, ON, Canada
<louis@signalpath.on.ca>
OpenBSD: Security matters  <www.OpenBSD.org>