X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding; q=dns; s=
	default; b=UMTPnmFni8yUjT6IFvis6q4a7PjGCY2HkAuDgVlz0fJ08sXwuZEJ0
	EbkI+8KjfWH1q2rROODdUivLQaZpGQzaLlWkKen2L8+jFZEXyGymBImZl3IOEzJ7
	IenyzApR/EdJteEJH/D4EL1oPDV+xinoYIjpMjnznAvPcrwKbtMWkg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding; s=default;
	 bh=Lw/1HY/qr35IfdEw0pfVOshQcBw=; b=VPAfi+sfplNCKOMoHW0amsJknu3m
	3xYK+zDI9RPW9GDev50DxqEsZ2Vy1xyEEL+EHLdas0YmUbOU7lit9un6F4l32Vg4
	ik2kqwMH2lPOlFMVP6uho1l3qS/WyReA7nOJawMuA9oykjDg9gQRcBLStxrMUZkf
	jEaXZHOXLqOt0Lg=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2
X-HELO: plane.gmane.org
To: cygwin AT cygwin DOT com
From: "D. Boland" <daniel AT boland DOT nl>
Subject: Re: The deprecated uid issue: use caps
Date: Sat, 26 Jul 2014 15:33:51 +0200
Lines: 84
Message-ID: <53D3AE3F.16D5F95C@boland.nl>
References: <53CF6CEC DOT 6D68E485 AT boland DOT nl> <53CF7012 DOT 2070608 AT tlinx DOT org> <53CF749A DOT 1315B799 AT boland DOT nl> <53D30D67 DOT 2070209 AT tlinx DOT org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

Hi Linda,

Linda Walsh wrote:
> 
> D. Boland wrote:
> > Linda Walsh wrote:
> >> D. Boland wrote:
> >>> But I had to compromise in some critical areas. One of them is the uid issue.
> >>>
> >>> * sendmail, procmail, mail.local assume that the id of the privileged user is '0'.
> >>>
> >>> Isn't it about time to make this our First Directive also?
> >>>
> >>>
> >> I thought sendmail used capabilities?
> >>
> >> Isn't it about time none of them used a fixed 'uid', but used capabilities?
> >>
> >> I thought hard coding a Uid was going out with the dodo bird?
> >
> > You didn't get the point. We create a kernel on which Linux software runs. We don't
> > dictate how software should be written.
> You are missing the point.
> 
> MS privilege model is the MS version of the linux capability model.
> 
> MS didn't get it wrong, linux has been slow to adopt, but MS had linux
> capabilities 10 years before linux did.
> 
> Several other people have tried to explain that the way to go is to use
> the "minimum priviledge model".
> 
> For example, almost ALL user have the "unreadable directory traversal"
> priv/capability.
> 
> To enforce it cost alot in execution time on Windows (as it would under
> cygwin).
> 
> Another priviledge is to "impersonate" another user; sendmail would
> likely need such a privilege.  Another is to ignore file-permissions.
> It would be questionable whether or not sendmail needed that.
> 
> Sendmail was using capabilities back in 2000 when I brought a basic
> "non-reciprocal action"  bug in the capability code to the attention
> of Ted Tso, he told me and others that I didn't know what I was talking
> about and they were following POSIX and my "find" was irrelevant under
> POSIX.
> About 10 days later there was a day-zero exploit involving the bug
> in the defective code using sendmail's capability usage as the vector.
> The result was kernel caps being disabled for the next few years until
> the cap-code could be reviewed by more eyes and knew what to look for.
> 
> So I'm pretty sure sendmail has had code to extensively run solely off
> of capabilities and has had it for some time.  I'd be surprised if it
> was removed.
> 
> Linux software that uses the capability model is likely to not have
> these problems.  But saying that any random linux software with security
> bugs
> from the past should work on cygwin, seems like a ridiculous stance to
> take.
> 
> You can set capabilities on files processes and network sockets. Linux file
> systems with "extended attributes" or "alternate data forks" (2 names
> for the
> same thing), can and do support "SETCAP" on linux files that works just
> like SETUID, but for capabilities.
> 
> MS only supports the capability model and uses it to implement their
> Admin or privileged user model.  They don't support the less secure setuid
> model that linux is moving away from.
> 
> Does this help clarify the issue ?

Thanks for disagreeing. You are completely right. Sendmail seems to demand a much
more restrictive impersonation policy than Windows offers. That's why I can't get
the thing to work. It constantly tests if certain actions are allowed and if so, it
just refuses to deliver e-mail.

I'll look into this capabilities thing, but I do not intend to change anything
significant  in the Sendmail code. Maybe the folks at Proofpoint will switch to it
one day. 

Daniel


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple