current-users: Re: localhost security hole

Subject: Re: localhost security hole
To: Andrew Brown <atatat@atatdot.net>
From: David Porowski <dproski@erols.com>
List: current-users
Date: 06/29/2003 01:32:14
Andrew Brown wrote:

> >Sorry to be a "butinski", but I feel compelled to reply
> >to this thread.  As a user who is frequently "untethered",
> >(laptop) and also security conscience, I would consider the
> >following points:
> >
> >1)  never run sendmail as a daemon
>
> you have no choice now (unless you set sendmail back to suid root),
> but you can tell it (as you always could) only to listen on the
> loopback interface.

Merely illustrates that I have not used sendmail for
some time, hence my "plug" for qmail.  I will have to
take a closer look at postfix, though.

>
> >2)  never run sendmail as suid root
>
> it doesn't now.
>

Quite glad to know that.  I have admired the movement
away from suid root for programs out of numerous security
concerns.

>
> >3)  always configure nsswitch as: hosts: files dns
>
> that's the default setting.

As it should be.  The other way around (dns / files)
presumes that DNS is always correct.

>
>
> >4)  always chmod /etc/hosts as 0666
>
> i shall assume you mean 0444 here.

Absolutely.  (The "devil" made me quote "666".)

>
>
> >5)  always use 127.0.0.1 localhost.domain localhost
>
> actually, i'd recommend "127.0.0.1 localhost localhost.domain" so that
> you can look up localhost.domain (using gethostbyname()), but the
> canonical name for it will be returned as localhost.
>

Interesting.  I guess I have always preferred the FQDN
as canonical, but that could be useful.

>
> >IMHO, root mail should, by default, only go to the
> >local machine.  Any management changes for network
> >mail collection can always be scp pushed to these
> >machines.  DNS can be spoofed, and your first line
> >of defense is what you have the closest control of.
>
> if you're going to have your root mail go to another machine, one
> would assume you have taken some steps to be reasonably sure it gets
> there.
>

You are correct.  The only point that I was trying to make
is that for a default installation and configuration, that
local security should take higher precedence over ease of
establishing a root mail server (or a log server).

>
> --
> |-----< "CODE WARRIOR" >-----|
> codewarrior@daemon.org             * "ah!  i see you have the internet
> twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
> werdna@squooshy.com       * "information is power -- share the wealth."