smaclennan/doorknob

[Jonathan de Boyne Pollard <J.deBoynePollard-newsgroups@NTLWorld.COM>]

[-- Attachment #1: Type: text/plain, Size: 3510 bytes --]

  *

    The plural of "address" is "addresses".  "-ii" is not how any word
    pluralizes in English.

  *

    The way to monitor such a directory nowadays is with
    |kevent(EVFILT_VNODE)| or |inotify_*()|.

  *

    Long-known multi-user spool security precautions: /Always/ check the
    |d_type|; /always/ |fstatat()|/|fstat()| the spool file and check
    for |S_ISREG()|.

  *

    Long-known multi-user spool security precautions: Spool areas should
    be beneath a non-world-accessible parent directory, and the program
    that dumps into the spool should be set-group-ID to a group (or a
    /non-owner/ user) that has search access on the parent in order to
    reach the spool directory beneath.  Not doing this is an error that
    was initially made in Postfix years ago, avoiding all set-ID
    programs without realizing that set-ID is a necessarymechanism for
    secure multi-user spooling when it is in this form. (See Bruce
    Guenter's bcron <http://untroubled.org/bcron/> for an example of an
    alternative way that multi-user spooling can be structured using a
    submission server and UCSPI-UNIX.)

    The spool-processing dæmon itself does not need to run under the
    aegis of this group, if it is simply started up already in its spool
    directory using |chdir|
    <http://jdebp.eu./Softwares/nosh/guide/commands/chdir.xml> (or cd
    <http://skarnet.org./software/execline/cd.html> or equivalent) in
    the |run| script.  (This also means that it does not need to
    hardcode the location of its spool directory.  Its spool directory
    is its working directory, where it works.)

  *

    Other security precautions: Dæmons such as this should /always/
    |setuidgid|
    <http://jdebp.eu./Softwares/nosh/guide/commands/setuidgid.xml> away
    from the superuser in their |run| scripts to an account dedicated to
    the dæmon.  (Compare the |run| script in Bruce Guenter's nullmailer
    <http://untroubled.org/nullmailer/>.)

      o

        Jonathan de Boyne Pollard (2019). "Limiting services: Running
        under the aegises of unprivileged user accounts
        <http://jdebp.eu./Softwares/nosh/guide/limiting-services.html#users>".
        /nosh Guide/. Softwares.

      o

        https://unix.stackexchange.com/questions/450251/

  *

    Other spool-processing dæmon security measures: The dedicated user
    account has no need to own /anything/, neither the spooled files nor
    the spool directory itself.  It needs only read+write+execute
    permission on the spool directory, and read permission on the spool
    files.  Having ownership permission as well permits compromised
    dæmons to change ACLs and permissions.

      o

        Jonathan de Boyne Pollard (2019). "Log service security:
        Dedicated log user accounts
        <http://jdebp.eu./Softwares/nosh/guide/log-service-security.html#users>"./nosh
        Guide/. Softwares.

  *

    Debian family operating system conventions:  That has not been the
    way to write a van Smoorenburg |rc| script for Debian family
    operating systems since 2014.

      o

        Petter Reinholdtsen (2014-02-09). init-d-script
        <https://manpages.debian.org/stretch/sysvinit-utils/init-d-script.5.en.html>.
        /File formats manual/. Debian.

  *

    C language standards: |stdout| is fully buffered if it is not an
    interactive device, which a pipe is indeed not. |stderr| is of
    course /not/ fully buffered.

  *

    Unix conventions: Logs go to standard error.