LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)
-   -   mount suid (https://www.linuxquestions.org/questions/%2Absd-17/mount-suid-229340/)

predrag 09-11-2004 12:05 PM
mount suid
 
Just how more insecure is it to mount /var on OpenBSD (3.5 patch) suid? It is mounted nosuid by default, but I could not manage to make vqadmin and qmailadmin work with /var mounted as nosuid.

Tnx.

chort 09-12-2004 03:16 AM
That means you're allowed to execute suid binaries and scripts on that partition, which can be particularly bad in the case of /var since that's where Apache and BIND live, and also the mail spool, cron spool, etc... All of those are potential vectors for attack. If an attacker manages to find an suid script on that partition, or an suid binary, and they can exploit it with a buffer overflow, or by forcing it to exectute commands of their choosing, you'll be rooted. Of all the partitions, /var is probably the one you least want to mount with suid allowed.

Is there a particular reason you want qmail? Postfix works great on OpenBSD and is well supported. It's easier to setup and use than Qmail and it has a native port (unlike Qmail). The OpenBSD Sendmail (installed by default) is also quite a bit more secure than the normal Sendmail, because the OpenBSD developers have hardened it a great deal (although it's still an exercize in frustration to try to edit the configuration).

predrag 09-12-2004 08:01 AM
Yes, qmail comes with a set of useful apps for administration, namely vqadmin and qmailadmin. I need those, especially the possibility that users can setup autoreply messages from the web interface alone, that domain admins can add and modify users within their domains (from the web interface) etc.

I am also more than satisfied with postfix and have used it extensively. I now have a running system supporting virtual domains and all security/privacy related addons, but it seems unlikely to find a web interface that will enable the normal user to, say, mamange his own vacation message, the domain admin user to use the web interface to add/delete users, makes new forwards, delete the old ones etc. The postfix+courier imap+authuserdb works just perfectly for me and I need absolutely nothing more as far as the server itself is considered. But users here want comodity and I simply have to see to it that they get it.


All times are GMT -5. The time now is 06:56 PM.