Return-Path: 
 <community-return-2147-apmail-community-archive=apache.org@apache.org>
Delivered-To: apmail-community-archive@apache.org
Received: (qmail 23433 invoked by uid 500); 27 Jun 2003 21:06:14 -0000
Mailing-List: contact community-help@apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:community-help@apache.org>
list-unsubscribe: <mailto:community-unsubscribe@apache.org>
list-post: <mailto:community@apache.org>
Reply-To: community@apache.org
Delivered-To: mailing list community@apache.org
Received: (qmail 23347 invoked from network); 27 Jun 2003 21:06:13 -0000
Received: from ms-smtp-02.southeast.rr.com (24.93.67.83)
  by daedalus.apache.org with SMTP; 27 Jun 2003 21:06:13 -0000
Received: from noel770 (cae88-112-241.sc.rr.com [24.88.112.241])
	by ms-smtp-02.southeast.rr.com (8.12.5/8.12.2) with SMTP id h5RL3QqR027491;
	Fri, 27 Jun 2003 17:03:27 -0400 (EDT)
From: "Noel J. Bergman" <noel@devtech.com>
To: "James Developers List" <james-dev@jakarta.apache.org>,
   <community@apache.org>, <pier@apache.org>
Subject: RE: WORA Considered Evil  ;-)
Date: Fri, 27 Jun 2003 17:05:41 -0400
Message-ID: <NBBBJGEAGJAKLIDBKJOPIEPCCHAB.noel@devtech.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
In-Reply-To: <005b01c33cd7$07ab5510$0901a8c0@synsys.com>
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

Steve and Kenny,

There is a balance.  Not all of Pier's issues may apply, but many of the
important ones do.

Frankly, I don't want to run anything at root that can avoid it.  That is
just good practice.

Consider Vincenzo's anti-spam matcher.  Would you want that to run as root?
I am not convinced that an exploit cannot be written that would cause the
commercial, native code, virus scanner to have a buffer overflow causing it
to execute code embedded in a carefully crafted message.  Can you prove
otherwise?  How big a bet would you be willing to place?  Because that is
the core of decision theory: what are you willing to risk on your choice?

> There is no need to distribute James' components over multiple JVMs to
> enhance security or robustness.

I disagree as a technical matter.  As a practical matter, it depends upon
one's configuration and comfort level.  Clearly most users experience levels
of both security and robustness with James that meet their requirements.

> The paranoia comes from what's called a buffer overflow
> exploit.

> Java however doesn't suffer from this kind of attack

As a matter of fact, there was one involving the native compression code.

I agree that Java is safer than C/C++, but that does not diminish the point.
I can give you plenty of good reasons for why you want the ability to run
the mailet pipeline at privileges other than root:

 - the chance of a JVM exploit.
 - potential exploits via native code in
   a JDBC driver.
 - the use of native code in matchers/mailets,
   e.g., the anti-virus matcher.
   ---------------------------------------------------
 - the use of third party matchers/mailets.
 - the use of user-defined scripting matchers/mailets
 - support for SOAP
 - one pipeline being extra busy or big
   performing lots of processing and/or
   handling large messages, should not
   deny service to other users.

None of the items below the bar are related to native code exploits.  A
single JVM is not secure when you start taking into account such things as
SOAP, user-defined scripts, etc.  Would you run Tomcat as root, and allow
users to install whatever servlets they want at root privilege?

For most users, the risk involved may be effectively non-existent, but the
more flexible a system becomes, the more the system must be architected to
prevent exploits due to an oversight failure.  For Tomcat, I make sure that
each virtual host's JVM(s) run(s) with the access right's of the host's
owner.  If I have mail applications for multiple hosts, I also want to
ensure separation, security, and privacy.

Next, consider the dynamic reconfiguration issue, which thread I have no had
time to respond to over the past couple of days.  The key issue there is
that to reconfigure the pipeline, I should not have to impact the other
services.  What you might do for a graceful reconfig is to put the pipeline
into a mode where it will process all messages EXCEPT for those in the root
spool.  That lets you flush out the current pipeline, while allowing the
SMTP server to continue spooling messages.  Then I can gracefully restart
the pipeline processor without any impact on SMTP, POP3, NNTP or other
service.

We've already had the plan for a distributed pipeline cluster, so I don't
see any reason to be arguing the point.  If you look at Pier's message, you
should see GOOD things, not bad.  The architecture is basically exactly what
he wants.

> Using multiple VMs forces the use of some kind of remote interface.

We already have one: the spooler and message stores.  Separation would occur
where natural divisions exist.

	--- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org