In May 2005, Georgi Guninski claimed that some potential 64-bit portability problems allowed a ``remote exploit in qmail-smtpd.’’ This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail’s assumption that allocated array lengths fit comfortably into 32 bits.
That’s some fine political weaseling right there, Dr. Bernstein. If your defaults are not limiting that process from the get go and you don’t have an upper limit to prevent that, it’s inherently insecure. Shame on you. If you’re going to have a big ego to make such an audacious “guarantee”, eat the damn crow or rescind that silly ego booster of a “security guarantee”. The latter is free to do and probably will save you more face.
Pretty much no one is monitoring the memory allocations of an smtp process. So it’s absurd to claim this defaults-enabled attack is not practical.
I’ve run qmail at various companies over the years and it’s always been standard advice from DJB to run daemons with resource limits set. He provides daemontools, which contains softlimit, which makes this easy.
Packages made for various OSes/dists include this limiting.
As memory usage is usually limited, errors will occur if these limits are hit - and these will be logged.
I’m happy to be corrected on what I believe are the facts here.
The recent update about this security issue is that it is exploitable in practice because that qmail-smtpd is always memory-limited but qmail-local never is (checked on several distros by Qualys).
I have not posted it because of the cat-fighting, beside I find this a funny extra.
The reason is more the implication “my software hasn’t a bug you just using it wrong”. Especially if you look at his claims about easy APIs. On of the main argument for his Curve25519 was, that you don’t have to check if the point you get is on the curve (I’m haven’t found the talk yet, I’ll post is later as an reply).
So the questions I want to discuss are: Is it OK to say to a bug you can’t trigger it because you should have set up a safety mechanism? Which assumption about the environment can you have? And how do you document these assumptions? Should you fix bugs with can’t be triggered (yet)?
Yes without the explanation it might look only like making fun about cat-fighting.
I upvoted because it expresses a pattern of behaviour that I’ve noticed in djb for well over 20 years now, and have come across myself. Many years ago I noticed a bug in qmail-imapd where it wasn’t implementing a part of the RFC at all, and it was breaking some IMAP clients. djb said that that part of the RFC wasn’t important and refused to implement it, forcing many of our end users to switch their email clients and causing a lot of head-aches. because of that, and a few other interactions, I have never used another piece of software by djb, even though it might be in many ways technically better. It’s just not worth the headaches of having to deal with him
djb is genius-level smart, and find many of his programs have a kind of rare brilliance to them. In an alternative universe where he’s not such a pain to deal with we’d all be running qmail instead of postfix and daemontools instead of systemd.
i tried setting opensmptd up with virtual users / virtual domains using sqlite and to my surprise it didn’t work anymore as the opensmptd-extras have a version mismatch in debian, so postfix it is again. maybe more of a debian problem than opensmptd.
Huh, you’re absolutely right about there not being an imap server associated with qmail. I wonder what program the bug was associated with. It was nearly 20 years ago, so aspects of it may be entirely wrong.
Wait, there is a qmail-imapd ? I would be happy to know where you found it, as I fail to see it in the qmail source, and all I find for “qmail-imapd” is tcp rules for courrier-imap as part of some qmail metapackage : https://www.opennet.ru/base/patch/qmail_ldap.txt.html
djb’s somewhat cantankerous paper Some thoughts on security after ten years of qmail 1.0 was one of my first introductions to seriously trying to make high quality software, and despite the tone, was pretty thought provoking for me. He was sort of worshiped by some of the engineers who mentored me at my first job, as we worked heavily with djb’s daemontools, cdb, etc… and I had a lot of respect for him. Over time, between the way he’s sheltered a rapist and generally conducted himself in public, that respect has evaporated.
Similar story for me, but I’ve historically tried a different tact. I still respect him for his contributions to code, math, science, and the political discourse in regards to encryption. I can’t respect him on a personal level, because of the above stated reasons.
This still gives him a platform, however, and, as the argument goes, gives him permission to continue to be a horrible person. And, I get that. I should probably slightly adjust my tact and use an “evaporative model” (to crib your words). In this model, I’ll allow for rehabilitation and for amends to be made to those harmed, but failure to make progress towards that, over time, evaporates my willingness to give the person any respect. Effectively, inaction suggests that the person doesn’t actually get, or doesn’t agree that there was wrong doing after much possibility for reflection.
The challenge there is that some assholes have contributed foundationally to the world I live in. If I dismiss everything they’ve ever done, on principle, what’s left?
The challenge there is that some assholes have contributed foundationally to the world I live in. If I dismiss everything they’ve ever done, on principle, what’s left?
As long as they do not benefit from the fruits of their heinous behavior, it is okay to accept their work. The problem is when Dr. Bernstein benefits from it, which does constitute as a form of endorsement. After reading this morning all the court filings for Todd v Lovecroft and seeing his affiliation (i.e. his statement of support for Todd) along with his vociferous defense of Appelbaum (and calling one of the people blowing the whistle a liar right down to the “if they were a victim, why didn’t they go to the police” on a sexual abuse matter – strange, he did the same for the Todd v Lovecroft case), I found myself thinking very, very, very low of him.
Being a “genius” shouldn’t absolve someone of protecting and sheltering rapists, let alone other violent criminals. But that seems to be a problem in certain communities which paradoxically hold their heroes to a lesser standard, not a greater one.
As long as they do not benefit from the fruits of their heinous behavior, it is okay to accept their work.
How do you quantify whether they benefit or not? In the “No PR is bad PR” model, the very nature of a viral, accusatory, article / blog post props the person up, regardless of the truth, which has the possible benefit of more exposure of their work…
Being a “genius” shouldn’t absolve someone of protecting and sheltering rapists, let alone other violent criminals.
I completely agree. For instance, Hans Reiser is a murderer, and fuck him. But before that happened, reiserFS was very, very, very well regarded and a dominant filesystem in the Linux world. ReiserFS would have aged out anyway, but the potential foundations for new filesystems can’t, and shouldn’t be forgotten. Unfortunately, we still have to credit their authors. Maybe we should do so with an in-text note next to it “Hans Reiser (Convicted murderer, Nina Reiser, spouse, leaving 2 children psychologically damaged for life)”
Edit: Those in-text note things are problematic. To avoid potential defamation suit, you can’t exactly publish “DJB (Rapist shelterer, Horrible Person).” In part, because Appelbaum has not been convicted of a crime, and so there’s a question of “fact.” And because “Horrible Person” is a relative term, and highly opinionated.
But that seems to be a problem in certain communities which paradoxically hold their heroes to a lesser standard, not a greater one.
Is this only in “certain communities”? In my experience, this is generally true. We usually admire something before getting to know all of its flaws, and get so hung up on the parts that attracted us, we can’t see the tire fire within. Also, isn’t this the exact psychology that con artists use?
Reviewing the DJB qmail security guarantee page:
That’s some fine political weaseling right there, Dr. Bernstein. If your defaults are not limiting that process from the get go and you don’t have an upper limit to prevent that, it’s inherently insecure. Shame on you. If you’re going to have a big ego to make such an audacious “guarantee”, eat the damn crow or rescind that silly ego booster of a “security guarantee”. The latter is free to do and probably will save you more face.
Pretty much no one is monitoring the memory allocations of an smtp process. So it’s absurd to claim this defaults-enabled attack is not practical.
I’ve run qmail at various companies over the years and it’s always been standard advice from DJB to run daemons with resource limits set. He provides daemontools, which contains softlimit, which makes this easy.
Packages made for various OSes/dists include this limiting.
As memory usage is usually limited, errors will occur if these limits are hit - and these will be logged.
I’m happy to be corrected on what I believe are the facts here.
The recent update about this security issue is that it is exploitable in practice because that qmail-smtpd is always memory-limited but qmail-local never is (checked on several distros by Qualys).
I see, thanks. The comment I replied to was talking about qmail-smtpd. I wasn’t aware of the qmail-local issue.
Looking at the hole that’s been reported, it looks real to me. Indeed I don’t remember seeing packages limit qmail-local.
Today. Not in 2005 (15 years ago!) when memory was way more costly.
[Commenting for transparency]
While I love me some open-source cat-fighting, I believe this sort of content is off-topic for this site, and I have flagged it as such.
I have not posted it because of the cat-fighting, beside I find this a funny extra.
The reason is more the implication “my software hasn’t a bug you just using it wrong”. Especially if you look at his claims about easy APIs. On of the main argument for his Curve25519 was, that you don’t have to check if the point you get is on the curve (I’m haven’t found the talk yet, I’ll post is later as an reply).
So the questions I want to discuss are: Is it OK to say to a bug you can’t trigger it because you should have set up a safety mechanism? Which assumption about the environment can you have? And how do you document these assumptions? Should you fix bugs with can’t be triggered (yet)?
Yes without the explanation it might look only like making fun about cat-fighting.
edit: the talk I mentioned, It’s at 00:46:10.
I had never heard about this memory limit thing regarding qmail so while I don’t like the form, it provided valuable insight.
I upvoted because it expresses a pattern of behaviour that I’ve noticed in djb for well over 20 years now, and have come across myself. Many years ago I noticed a bug in qmail-imapd where it wasn’t implementing a part of the RFC at all, and it was breaking some IMAP clients. djb said that that part of the RFC wasn’t important and refused to implement it, forcing many of our end users to switch their email clients and causing a lot of head-aches. because of that, and a few other interactions, I have never used another piece of software by djb, even though it might be in many ways technically better. It’s just not worth the headaches of having to deal with him
djb is genius-level smart, and find many of his programs have a kind of rare brilliance to them. In an alternative universe where he’s not such a pain to deal with we’d all be running qmail instead of postfix and daemontools instead of systemd.
Yep. It’s actually quite a shame, really.
There’s usually saner implementations of the same idea — namely runit for daemontools. And most famously libsodium for NaCl.
As for mail.. qmail seems arcane and complicated. OpenSMTPd is the only mail server I’d be willing to admin :D
i tried setting opensmptd up with virtual users / virtual domains using sqlite and to my surprise it didn’t work anymore as the opensmptd-extras have a version mismatch in debian, so postfix it is again. maybe more of a debian problem than opensmptd.
There is no qmail-imapd.
No he didn’t, because there is no qmail-imapd.
Huh, you’re absolutely right about there not being an imap server associated with qmail. I wonder what program the bug was associated with. It was nearly 20 years ago, so aspects of it may be entirely wrong.
Wait, there is a
qmail-imapd? I would be happy to know where you found it, as I fail to see it in the qmail source, and all I find for “qmail-imapd” is tcp rules for courrier-imap as part of some qmail metapackage : https://www.opennet.ru/base/patch/qmail_ldap.txt.htmlI think djb is a jackass but I flagged this as off-topic for basically the same reason as @gerikson
djb’s somewhat cantankerous paper Some thoughts on security after ten years of qmail 1.0 was one of my first introductions to seriously trying to make high quality software, and despite the tone, was pretty thought provoking for me. He was sort of worshiped by some of the engineers who mentored me at my first job, as we worked heavily with djb’s daemontools, cdb, etc… and I had a lot of respect for him. Over time, between the way he’s sheltered a rapist and generally conducted himself in public, that respect has evaporated.
Similar story for me, but I’ve historically tried a different tact. I still respect him for his contributions to code, math, science, and the political discourse in regards to encryption. I can’t respect him on a personal level, because of the above stated reasons.
This still gives him a platform, however, and, as the argument goes, gives him permission to continue to be a horrible person. And, I get that. I should probably slightly adjust my tact and use an “evaporative model” (to crib your words). In this model, I’ll allow for rehabilitation and for amends to be made to those harmed, but failure to make progress towards that, over time, evaporates my willingness to give the person any respect. Effectively, inaction suggests that the person doesn’t actually get, or doesn’t agree that there was wrong doing after much possibility for reflection.
The challenge there is that some assholes have contributed foundationally to the world I live in. If I dismiss everything they’ve ever done, on principle, what’s left?
As long as they do not benefit from the fruits of their heinous behavior, it is okay to accept their work. The problem is when Dr. Bernstein benefits from it, which does constitute as a form of endorsement. After reading this morning all the court filings for Todd v Lovecroft and seeing his affiliation (i.e. his statement of support for Todd) along with his vociferous defense of Appelbaum (and calling one of the people blowing the whistle a liar right down to the “if they were a victim, why didn’t they go to the police” on a sexual abuse matter – strange, he did the same for the Todd v Lovecroft case), I found myself thinking very, very, very low of him.
Being a “genius” shouldn’t absolve someone of protecting and sheltering rapists, let alone other violent criminals. But that seems to be a problem in certain communities which paradoxically hold their heroes to a lesser standard, not a greater one.
How do you quantify whether they benefit or not? In the “No PR is bad PR” model, the very nature of a viral, accusatory, article / blog post props the person up, regardless of the truth, which has the possible benefit of more exposure of their work…
I completely agree. For instance, Hans Reiser is a murderer, and fuck him. But before that happened, reiserFS was very, very, very well regarded and a dominant filesystem in the Linux world. ReiserFS would have aged out anyway, but the potential foundations for new filesystems can’t, and shouldn’t be forgotten. Unfortunately, we still have to credit their authors. Maybe we should do so with an in-text note next to it “Hans Reiser (Convicted murderer, Nina Reiser, spouse, leaving 2 children psychologically damaged for life)”
Edit: Those in-text note things are problematic. To avoid potential defamation suit, you can’t exactly publish “DJB (Rapist shelterer, Horrible Person).” In part, because Appelbaum has not been convicted of a crime, and so there’s a question of “fact.” And because “Horrible Person” is a relative term, and highly opinionated.
Is this only in “certain communities”? In my experience, this is generally true. We usually admire something before getting to know all of its flaws, and get so hung up on the parts that attracted us, we can’t see the tire fire within. Also, isn’t this the exact psychology that con artists use?