[9037] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Anonymous Qmail Denial of Service

daemon@ATHENA.MIT.EDU (Wietse Venema)
Mon Jan 11 13:13:27 1999

Date: 	Sun, 10 Jan 1999 17:35:36 -0500
Reply-To: Wietse Venema <wietse@PORCUPINE.ORG>
From: Wietse Venema <wietse@PORCUPINE.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <19990109221231.5482.qmail@cr.yp.to> from "D. J. Bernstein" at
              "Jan 9, 99 10:12:31 pm"

Bernstein's posting contains inaccuracies. Rather than boring the
reader I will just address a few. If there is sufficient demand I
will make the full list available for those who care.

>    * The world-writable drop directory was made unreadable. The
>      [Postfix] author called this a ``solution'' and claimed that
>      inode numbers offer 15 bits of randomness. In fact, on almost all
>      UNIX systems today, inode numbers are trivially predictable. This
>      is security through obscurity.

The claim that the non-readable maildrop was offered as a ``solution''
is inaccurate.  The non-readable maildrop was offered as a "short-term,
interim solution", while a "permanent solution is under development".
The announcement is likely to be still on-line.  The USENET news
Message ID is <75r5q7$a3h$1@spike.porcupine.org>.

The claim that Postfix file name randomness is based inode numbers
is inaccurate.  The 15 bits of randomness that I referred to are
based the time of day in microseconds, which gives about 15 bits
depending on implementation.  Now, 15 bits isn't a lot, but this
scheme was chosen when queue file names were not meant to be secret.

Before I end this post there is one observation that I would like
to share with the reader.  In December, Daniel Bernstein posted a
message to the qmail mailing list with in the subject: "Anonymous
postfix denial of service", describing a variety of local attacks
with Bernstein accuracy.  By way of response I described a local
attack in a posting titled "Anonymous qmail denial of service".

How memory can fail.  Daniel Bernstein denies that he attacked
Postfix for being subject to a DoS attack, with the following words:

D. J. Bernstein:
> Perry E. Metzger writes:
> > You attacked Postfix for being subject to a DoS attack.
>
> I pointed out that [Postfix] allowed local users to
>
>    * anonymously destroy messages accepted by the MTA from other users;
>    * obtain traffic information that some sites consider private;
>    * on some UNIX variants, charge mail to the wrong user; and
>    * under specialized circumstances, steal unreadable files.
>
> Which of these are you calling a ``denial-of-service attack,'' Perry?

The claim is in the title, Dan: "Anonymous postfix denial of
service". You can find it in your own mailing list archive.

        Wietse

home help back first fref pref prev next nref lref last post