Re: Anonymous Qmail Denial of Service

[nmm1 () CUS CAM AC UK (Nick Maclaren)]

Illuminatus Primus <vermont () GATE NET> writes:
> I think it is far easier to implement secure enforcement of policy when
> the privilege levels are more clearly separated than in setid.  Sending
> the data through sockets is one way to accomplish this.  Check out userv:
> http://www.chiark.greenend.org.uk/~ian/userv/
>
> I'm sure implementing something similar that allows portable
> authentication of uids wouldn't be that hard - I can think of several
> schemes right now.

Yes, that is most people's experience on first thinking about the
problem, but it becomes harder the deeper you look into it.  One very
nasty problem is the following:

    Server A has ownership X and is acting on behalf of user Y.

    Client B is owned by Y, but is actually a server acting on behalf
of user Z, and then calls A.

    Should A regards its user as X, Y or Z?

This sort of thing can be resolved, but is pretty hard to do starting
from an unsuitable system (like Unix or MVS.)  You need to build the
concept of proxy authorities from the very start, and allow for an
arbitrary level of nesting.

And then you need to start thinking about remote processes, and whether
the authentication of the remote system needs to be taken into account.
Or things like shared memory servers, where a single transaction may
have multiple originators (e.g. the sender and the receiver.)


Regards,
Nick Maclaren,
University of Cambridge Computing Service,
New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.
Email:  nmm1 () cam ac uk
Tel.:  +44 1223 334761    Fax:  +44 1223 334679