[9037] in bugtraq
Re: Anonymous Qmail Denial of Service
daemon@ATHENA.MIT.EDU (Wietse Venema)
Mon Jan 11 13:13:27 1999
Date: Sun, 10 Jan 1999 17:35:36 -0500
Reply-To: Wietse Venema <wietse@PORCUPINE.ORG>
From: Wietse Venema <wietse@PORCUPINE.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990109221231.5482.qmail@cr.yp.to> from "D. J. Bernstein" at
"Jan 9, 99 10:12:31 pm"
Bernstein's posting contains inaccuracies. Rather than boring the
reader I will just address a few. If there is sufficient demand I
will make the full list available for those who care.
> * The world-writable drop directory was made unreadable. The
> [Postfix] author called this a ``solution'' and claimed that
> inode numbers offer 15 bits of randomness. In fact, on almost all
> UNIX systems today, inode numbers are trivially predictable. This
> is security through obscurity.
The claim that the non-readable maildrop was offered as a ``solution''
is inaccurate. The non-readable maildrop was offered as a "short-term,
interim solution", while a "permanent solution is under development".
The announcement is likely to be still on-line. The USENET news
Message ID is <75r5q7$a3h$1@spike.porcupine.org>.
The claim that Postfix file name randomness is based inode numbers
is inaccurate. The 15 bits of randomness that I referred to are
based the time of day in microseconds, which gives about 15 bits
depending on implementation. Now, 15 bits isn't a lot, but this
scheme was chosen when queue file names were not meant to be secret.
Before I end this post there is one observation that I would like
to share with the reader. In December, Daniel Bernstein posted a
message to the qmail mailing list with in the subject: "Anonymous
postfix denial of service", describing a variety of local attacks
with Bernstein accuracy. By way of response I described a local
attack in a posting titled "Anonymous qmail denial of service".
How memory can fail. Daniel Bernstein denies that he attacked
Postfix for being subject to a DoS attack, with the following words:
D. J. Bernstein:
> Perry E. Metzger writes:
> > You attacked Postfix for being subject to a DoS attack.
>
> I pointed out that [Postfix] allowed local users to
>
> * anonymously destroy messages accepted by the MTA from other users;
> * obtain traffic information that some sites consider private;
> * on some UNIX variants, charge mail to the wrong user; and
> * under specialized circumstances, steal unreadable files.
>
> Which of these are you calling a ``denial-of-service attack,'' Perry?
The claim is in the title, Dan: "Anonymous postfix denial of
service". You can find it in your own mailing list archive.
Wietse