Loading ...
Sorry, an error occurred while loading the content.

Root privileges

Expand Messages
  • varad gupta
    Hi A colleague asked me a question to which I had not given much thought before. We all know that most postfix daemons/services run as unpriviliged users
    Message 1 of 13 , Jan 30, 2011
    • 0 Attachment
      Hi

      A colleague asked me a question to which I had not given much thought before.

      We all know that most postfix daemons/services run as unpriviliged
      users (apart from local and virtual) but the master daemon runs with
      root privileges?

      Is it not a risk running master as root (the same reason for running
      other processes as unprivileged) ?

      output of ps and lsof commands on my system are attached below :

      [root@vbg postfix]# ps -ef | grep master
      root 2237 1 0 16:29 ? 00:00:00 /usr/libexec/postfix/master

      [root@vbg postfix]# lsof -i tcp:25
      COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
      master 2237 root 12u IPv4 15503 0t0 TCP
      localhost.localdomain:smtp (LISTEN)


      Thanx in anticipation,


      Regards

      Varad Gupta
    • Ralf Hildebrandt
      ... That happens from time to time :) ... Yes. ... It must bind to ports
      Message 2 of 13 , Jan 30, 2011
      • 0 Attachment
        * varad gupta <postfix.vbg@...>:
        > Hi
        >
        > A colleague asked me a question to which I had not given much thought before.

        That happens from time to time :)

        > We all know that most postfix daemons/services run as unpriviliged
        > users (apart from local and virtual) but the master daemon runs with
        > root privileges?

        Yes.

        > Is it not a risk running master as root (the same reason for running
        > other processes as unprivileged) ?

        It must bind to ports < 1024 AND it must be able to spawn processes as
        other, unprivileged users.

        --
        Ralf Hildebrandt
        Geschäftsbereich IT | Abteilung Netzwerk
        Charité - Universitätsmedizin Berlin
        Campus Benjamin Franklin
        Hindenburgdamm 30 | D-12203 Berlin
        Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
        ralf.hildebrandt@... | http://www.charite.de
      • Wietse Venema
        ... All Postfix daemons are created as a root-privileged process. Root privilege is needed during process initialization, to drop privileges, while shutting
        Message 3 of 13 , Jan 30, 2011
        • 0 Attachment
          varad gupta:
          > Hi
          >
          > A colleague asked me a question to which I had not given much thought before.
          >
          > We all know that most postfix daemons/services run as unpriviliged
          > users (apart from local and virtual) but the master daemon runs with
          > root privileges?
          >
          > Is it not a risk running master as root (the same reason for running
          > other processes as unprivileged) ?
          >
          > output of ps and lsof commands on my system are attached below :
          >
          > [root@vbg postfix]# ps -ef | grep master
          > root 2237 1 0 16:29 ? 00:00:00 /usr/libexec/postfix/master
          >
          > [root@vbg postfix]# lsof -i tcp:25
          > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
          > master 2237 root 12u IPv4 15503 0t0 TCP
          > localhost.localdomain:smtp (LISTEN)

          All Postfix daemons are created as a root-privileged process. Root
          privilege is needed during process initialization, to drop privileges,
          while shutting down Postfix, to impersonate a recipient, or to
          invoke a non-Postfix program without giving it postfix privileges.
          Examples of such system calls are: bind, chroot, set(e)uid,
          set(e)gid, (f)chown, kill.

          Wietse
        • Victor Duchovni
          ... No, quite the opposite. It takes privileges to drop privileges. A well designed system (such as Postfix) is *more* secure by in part using root
          Message 4 of 13 , Jan 30, 2011
          • 0 Attachment
            On Sun, Jan 30, 2011 at 05:22:39PM +0530, varad gupta wrote:

            > Is it not a risk running master as root (the same reason for running
            > other processes as unprivileged) ?

            No, quite the opposite. It takes privileges to "drop" privileges. A well
            designed system (such as Postfix) is *more* secure by in part using root
            privileges to enable it to operate in multiple security contexts.

            My short maxim for this is indebted to a marketing campaign:

            http://en.wikipedia.org/wiki/Frank_Perdue

            "it takes a tough man to make a tender chicken"

            By which I mean that you sometimes need higher privileges to optimally
            use lower privileges.

            --
            Viktor.
          • varad gupta
            Thanx for all the replies - I now understand the reason for master daemon to run with superuser privileges. They were really helpful. But then, is postfix not
            Message 5 of 13 , Jan 30, 2011
            • 0 Attachment
              Thanx for all the replies - I now understand the reason for master
              daemon to run with superuser privileges. They were really helpful.

              But then, is postfix not running the same risk as "sendmail" ?

              As a student, I was told that sendmail is a single monolithic binary,
              performing all its functions as superuser; therefore if an attacker
              could control the sendmail process, he/she would have superuser
              access.

              Does it mean, that unless run in a chroot environment, postfix is
              susceptible to the same risks as sendmail and gives an attacker
              capability of causing similar damage (despite having a far better
              system of tasks divided amongst various unprivileged processes
              designed to perform specific tasks) ?


              Regards

              On Sun, Jan 30, 2011 at 11:47 PM, Victor Duchovni
              <Victor.Duchovni@...> wrote:
              > On Sun, Jan 30, 2011 at 05:22:39PM +0530, varad gupta wrote:
              >
              >> Is it not a risk running master as root (the same reason for running
              >> other processes as unprivileged) ?
              >
              > No, quite the opposite. It takes privileges to "drop" privileges.  A well
              > designed system (such as Postfix) is *more* secure by in part using root
              > privileges to enable it to operate in multiple security contexts.
              >
              > My short maxim for this is indebted to a marketing campaign:
              >
              >    http://en.wikipedia.org/wiki/Frank_Perdue
              >
              >    "it takes a tough man to make a tender chicken"
              >
              > By which I mean that you sometimes need higher privileges to optimally
              > use lower privileges.
              >
              > --
              >        Viktor.
              >
            • Victor Duchovni
              ... No. ... No. -- Viktor.
              Message 6 of 13 , Jan 30, 2011
              • 0 Attachment
                On Mon, Jan 31, 2011 at 08:02:28AM +0530, varad gupta wrote:

                > Thanx for all the replies - I now understand the reason for master
                > daemon to run with superuser privileges. They were really helpful.
                >
                > But then, is postfix not running the same risk as "sendmail" ?

                No.

                > Does it mean, that unless run in a chroot environment, postfix is
                > susceptible to the same risks as sendmail and gives an attacker
                > capability of causing similar damage (despite having a far better
                > system of tasks divided amongst various unprivileged processes
                > designed to perform specific tasks) ?

                No.

                --
                Viktor.
              • Daniel Bromberg
                Varad, I may be talking out of turn as I am fairly new to Postfix, but I think we need to distinguish between a *practical* risk and a *theoretical* risk.
                Message 7 of 13 , Jan 30, 2011
                • 0 Attachment
                  Varad,

                  I may be talking out of turn as I am fairly new to Postfix, but I think
                  we need to distinguish between a *practical* risk and a *theoretical* risk.

                  Theoretically, any software that runs as root, sufficiently attacked,
                  could be used to compromise an entire system. The sufficient attack
                  would simply be arbitrary native code injection (the worst and hardest
                  kind of attack, but always a theoretical risk.)

                  However, that does not mean the root user, and by extension root-owned
                  processes, is fundamentally toxic. By reducto ad absurdum, the root user
                  shouldn't exist at all!

                  Practically speaking, what Postfix does much better than sendmail (among
                  other things) is reduce the amount of *time* and *code* and *scope of
                  operation* over which superuser privileges are used. This is
                  accomplished with a modular design that quickly dispatches to lower
                  privilege modes to actually do anything, like process untrusted input,
                  write or delete a file, or send a message.

                  More experienced admins, please confirm with acknowledgements and/or
                  refinements of this.

                  -Daniel

                  On 1/30/2011 9:32 PM, varad gupta wrote:
                  > Thanx for all the replies - I now understand the reason for master
                  > daemon to run with superuser privileges. They were really helpful.
                  >
                  > But then, is postfix not running the same risk as "sendmail" ?
                  >
                  > As a student, I was told that sendmail is a single monolithic binary,
                  > performing all its functions as superuser; therefore if an attacker
                  > could control the sendmail process, he/she would have superuser
                  > access.
                  >
                  > Does it mean, that unless run in a chroot environment, postfix is
                  > susceptible to the same risks as sendmail and gives an attacker
                  > capability of causing similar damage (despite having a far better
                  > system of tasks divided amongst various unprivileged processes
                  > designed to perform specific tasks) ?
                  >
                  >
                  > Regards
                  >
                  > On Sun, Jan 30, 2011 at 11:47 PM, Victor Duchovni
                  > <Victor.Duchovni@...> wrote:
                  >> On Sun, Jan 30, 2011 at 05:22:39PM +0530, varad gupta wrote:
                  >>
                  >>> Is it not a risk running master as root (the same reason for running
                  >>> other processes as unprivileged) ?
                  >> No, quite the opposite. It takes privileges to "drop" privileges. A well
                  >> designed system (such as Postfix) is *more* secure by in part using root
                  >> privileges to enable it to operate in multiple security contexts.
                  >>
                  >> My short maxim for this is indebted to a marketing campaign:
                  >>
                  >> http://en.wikipedia.org/wiki/Frank_Perdue
                  >>
                  >> "it takes a tough man to make a tender chicken"
                  >>
                  >> By which I mean that you sometimes need higher privileges to optimally
                  >> use lower privileges.
                  >>
                  >> --
                  >> Viktor.
                  >>
                • Chris Tandiono
                  ... I don t know how accurate my interpretation is, but the way I see it, postfix s master process, if hacked, would obviously present a lot of problems. But
                  Message 8 of 13 , Jan 30, 2011
                  • 0 Attachment
                    On 30 Jan 2011, at 18:46 , Victor Duchovni wrote:

                    > On Mon, Jan 31, 2011 at 08:02:28AM +0530, varad gupta wrote:
                    >
                    >> Thanx for all the replies - I now understand the reason for master
                    >> daemon to run with superuser privileges. They were really helpful.
                    >>
                    >> But then, is postfix not running the same risk as "sendmail" ?
                    >
                    > No.
                    >
                    >> Does it mean, that unless run in a chroot environment, postfix is
                    >> susceptible to the same risks as sendmail and gives an attacker
                    >> capability of causing similar damage (despite having a far better
                    >> system of tasks divided amongst various unprivileged processes
                    >> designed to perform specific tasks) ?
                    >
                    > No.
                    >
                    > --
                    > Viktor.

                    I don't know how accurate my interpretation is, but the way I see it, postfix's master process, if hacked, would obviously present a lot of problems. But since it does less, it's also less open to hacks. For example, an empty program that does nothing cannot be hacked or exploited in any way because there is nothing to exploit. By moving most of the functions out of the master process, even if the other processes have flaws, they aren't privileged.

                    Someone else can feel free to correct me.

                    Chris
                  • Michael J Wise
                    ... Short answers from Victor are a good sign that you ve headed down the wrong track. :) There s a reason that Postfix was once known by another name. ...
                    Message 9 of 13 , Jan 30, 2011
                    • 0 Attachment
                      On Jan 30, 2011, at 6:50 PM, Chris Tandiono wrote:

                      > On 30 Jan 2011, at 18:46 , Victor Duchovni wrote:
                      >
                      >> On Mon, Jan 31, 2011 at 08:02:28AM +0530, varad gupta wrote:
                      >>
                      >>> Thanx for all the replies - I now understand the reason for master
                      >>> daemon to run with superuser privileges. They were really helpful.
                      >>>
                      >>> But then, is postfix not running the same risk as "sendmail" ?
                      >>
                      >> No.

                      Short answers from Victor are a good sign that you've headed down the wrong track. :)
                      There's a reason that Postfix was once known by another name.

                      >>> Does it mean, that unless run in a chroot environment, postfix is
                      >>> susceptible to the same risks as sendmail and gives an attacker
                      >>> capability of causing similar damage (despite having a far better
                      >>> system of tasks divided amongst various unprivileged processes
                      >>> designed to perform specific tasks) ?
                      >>
                      >> No.

                      Here's the first hint, you're comparing Oranges with Orangutans.
                      You say that Sendmail is a monolithic process running as root, and Postfix' Master process is running as root, so they are thus open to the same sorts of problems.

                      You are grossly incorrect.

                      To put it in another way, what vulnerabilities is the Master process exposed to? It doesn't talk to the internet, it doesn't talk to the local user. Almost all the interactions it has with anything are done via processes running with less privilege.

                      > I don't know how accurate my interpretation is, but the way I see it, postfix's master process, if hacked, would obviously present a lot of problems. But since it does less, it's also less open to hacks. For example, an empty program that does nothing cannot be hacked or exploited in any way because there is nothing to exploit. By moving most of the functions out of the master process, even if the other processes have flaws, they aren't privileged.
                      >
                      > Someone else can feel free to correct me.

                      Sounds about right.

                      Another point... is there any record AT ALL of Postfix ever being hacked?
                      Sendmail ... we don't have time to recount all the hacks, and quite frankly, I don't know where one would go to get a list, but I know that anything less than version 8.8.8 was considered un-secure by definition, and that was about when I stopped keeping track way back then. Have never heard anything about Postfix.

                      Aloha,
                      Michael.
                      --
                      "Please have your Internet License http://kapu.net/~mjwise/
                      and Usenet Registration handy..."
                    • Morten P.D. Stevens
                      ... Sendmail is not a security risk. These are old horror stories. Why use big companies like IBM or Red Hat still sendmail when postfix is supposed to be so
                      Message 10 of 13 , Jan 30, 2011
                      • 0 Attachment
                        2011/1/31 varad gupta <postfix.vbg@...>:
                        >
                        > But then, is postfix not running the same risk as "sendmail" ?

                        Sendmail is not a security risk. These are old horror stories. Why use big companies like IBM or Red Hat still sendmail when postfix is supposed to be so much safer? Why is sendmail the default MTA on Solaris, AIX, FreeBSD, RHEL and some more. Because it is unsafe?

                        There is no software without vulnerabilities.

                        Whatever you use, postfix or sendmail ... the theoretical risk of attack is exactly the same.

                        Best regards,

                        Morten
                      • Victor Duchovni
                        ... This is nonsense, design matters. Some software is safer by design. Implementation flaws are still possible, but in *safer by design* software they are
                        Message 11 of 13 , Jan 31, 2011
                        • 0 Attachment
                          On Mon, Jan 31, 2011 at 05:06:08AM +0100, Morten P.D. Stevens wrote:

                          > Whatever you use, postfix or sendmail ... the theoretical risk of
                          > attack is exactly the same.

                          This is nonsense, design matters. Some software is safer by design.

                          Implementation flaws are still possible, but in *safer by design*
                          software they are less frequent, and have lower impact.

                          --
                          Viktor.
                        • Wietse Venema
                          ... We should close this thread. Wietse
                          Message 12 of 13 , Jan 31, 2011
                          • 0 Attachment
                            Victor Duchovni:
                            > On Mon, Jan 31, 2011 at 05:06:08AM +0100, Morten P.D. Stevens wrote:
                            >
                            > > Whatever you use, postfix or sendmail ... the theoretical risk of
                            > > attack is exactly the same.
                            >
                            > This is nonsense, design matters. Some software is safer by design.
                            >
                            > Implementation flaws are still possible, but in *safer by design*
                            > software they are less frequent, and have lower impact.

                            We should close this thread.

                            Wietse
                          • varad gupta
                            Thanx for all the responses, especially Daniel. And as Wietse says, lets close the thread... Regards
                            Message 13 of 13 , Jan 31, 2011
                            • 0 Attachment
                              Thanx for all the responses, especially Daniel.

                              And as Wietse says, lets close the thread...

                              Regards

                              On Tue, Feb 1, 2011 at 2:00 AM, Wietse Venema <wietse@...> wrote:
                              > Victor Duchovni:
                              >> On Mon, Jan 31, 2011 at 05:06:08AM +0100, Morten P.D. Stevens wrote:
                              >>
                              >> > Whatever you use, postfix or sendmail ... the theoretical risk of
                              >> > attack is exactly the same.
                              >>
                              >> This is nonsense, design matters. Some software is safer by design.
                              >>
                              >> Implementation flaws are still possible, but in *safer by design*
                              >> software they are less frequent, and have lower impact.
                              >
                              > We should close this thread.
                              >
                              >        Wietse
                              >
                            Your message has been successfully submitted and would be delivered to recipients shortly.