[linux-security] Re: portmap vulnerability?

[Sam Quigley <osquigle cs uchicago edu>]

Matt <panzer dhp com> writes:

> In mail.linux.security cfb <cfb ocn21 kdd-ok ne jp> wrote:
> : How many processes does something like ssmtp kick off?  Not enough to be
> : significant, plus you won't risk having your filesystem fill up.  Just
> 
> The mail needs to go to a spool.  The spool needs to be saved to a disk.
> The disk is finite.  Words like "not enough to be significant" can get you
> in trouble very quickly in security. :)
> -- 
> -Matt Drown     -- Privacy, Anonyminity, & Security -- DataHaven Project
>  panzer dhp com -- Shell and Web accounts           -- http://www.dhp.com/ 
> 

Smart and security-conscious mail daemons will stop accepting mail
when the disk starts to fill.  This means lost log messages, but this
will be the case even when you try to log everything in a different
way.  And if the mail daemon is running as non-root (it should), the
ext2 filesystem is smart enough to save disk space for root stuff...
But the above method of logging requires a lot more disk space
than straight syslog-type logging, and (with most mail daemons) eats
inodes too.

Regardless, the point is that DoS attacks on mail daemons are always
an issue.  One has to be able to receive mail at root host and at
postmaster host (if the host is going to be net-friendly), and so one
is going to be open to these attacks.

The nice thing about mail-based logging is that I can have
security-related alerts (such as these) mailed to me; since my email
is forwarded to a different host than the machine that performs
syslogging, mail provides an added redundancy so I don't lose
important logs.  If someone starts setting off lots and lots of bells, 
the admins on my mail host will get mad at me, but I'll have an
excuse, and if they're smart, they won't have much of a problem.  And
if it happens in my absence, they'll be alerted that something is up
with my machines.

Not foolproof, but not a bad idea.  (as i see it...?)
-sq