Arch Linux

Underscore at the beginning of user/group name are openbsd convention to system user/group. We don't follow this.

Postfix (and others) mail servers use only one user. What security improvment there is to have 3 users? Do you have link?

We already have a user to handle mail on a system, it's mail user. And this avoid to setup new user in install script and reserve uid/gid in our db.

Hi,

I'm not an ArchLinux user but one of the OpenSMTPD developers.
I was pointed to this issue by an ArchLinux user (not Hugo) and I thought I should jump in because the comment above kinds of scare me ;-)


> Postfix (and others) mail servers use only one user. What security improvment there is to have 3 users? Do you have link?

I'm not going to comment on other mail servers and their design, but to answer your question:

http://en.wikipedia.org/wiki/Privilege_separation
https://docs.google.com/drawings/d/1RZDJyeyfJ8MqdV9mfLamCzleIVqUoel55bxgMwd52YY/edit?usp=sharing

The queue process runs unprivileged and chrooted.
The lookup process runs unprivileged but out of a chroot and will possibly execute code that we didn't write (sqlite, db, ...).
In case of an exploitable vulnerability in the lookup code, the attacker will have privileges of the mail server.

If you run Hugo's package, the damage will be restricted because the "lookup" user will not have permissions to interact with other processes.

If you run this package, the lookup process will have read/write access to the queue, allowing it to leak information or cause corruption and data-loss.

In an ideal world where we are bug-free, you should be able to run with a single user; but privilege-separation is what ensures that a little bug doesn't escalate to a critical issue.

I *strongly* advise you to use separate users (respecting your naming convention of course since that is totally irrelevant to the issue here...)

Salut Gilles, thanks to join the bug tracker, you're probably the best to answer.

Don't be scared! Let me remind you that Archlinux tends to follow upstream guy advises, because they know better how their soft works.

However, where can I find more information on the purposes of each process (as we can find on postfix by example)? I don't find man pages or links on the website.

Following a long (and nice) discussion with Gilles on IRC, he explains me which kinds of attack his design should avoid.

So I think I will add 3 users, opensmtpd, opensmtpf, opensmtpq. And move all config files in /etc/opensmtpd (as Hugo also request by mail).

Any comments?

last breaking news from IRC

seblu | [00:55:18] __gilles: about gid and default path
seblu | [00:56:41] do you have suggestion? Same gid for both users? All 3 have default home on /var/spool/smtpd?
@__gilles | [09:34:13] 00:56 < seblu> do you have suggestion? Same gid for both users? All 3 have default home on /var/spool/smtpd?
@__gilles | [09:35:03] on my machine i have the same gid for the three users because no file is group writable anyway
@__gilles | [09:35:08] as for homedir
@__gilles | [09:35:25] i set them all to /var/empty
@__gilles | [09:36:00] except for queue process (_smtpq) they all chroot to their homedir
@__gilles | [09:36:12] whereas queue explicitely chroots to the spool directory
@__gilles | [09:37:01] though there's limited risk with a separate queue user, you'd still be better off setting them a different directory
@__gilles | [09:37:17] on a related note
@__gilles | [09:37:40] with _smtpd and _smtpq, the _smtpf user becomes unnecessary so we will discuss removing it
@__gilles | [09:37:57] it was introduced before we could separate the queue and precisely to achieve the result we obtained with the queue separation
@__gilles | [09:38:41] since we dont have filters enabled yet, running with only _smtpd and _smtpq is "safe" by our standards

version 5.3.3p1 is community-testing should fix this bug.

Hugo can you confirm that everything is good for you?

Gilles, please, let me know is there is something wrong with this setup. (e.g. I use gid 1 for smtp* users)