*
The plural of "address" is "addresses". "-ii" is not how any word
pluralizes in English.
*
The way to monitor such a directory nowadays is with
|kevent(EVFILT_VNODE)| or |inotify_*()|.
*
Long-known multi-user spool security precautions: /Always/ check the
|d_type|; /always/ |fstatat()|/|fstat()| the spool file and check
for |S_ISREG()|.
*
Long-known multi-user spool security precautions: Spool areas should
be beneath a non-world-accessible parent directory, and the program
that dumps into the spool should be set-group-ID to a group (or a
/non-owner/ user) that has search access on the parent in order to
reach the spool directory beneath. Not doing this is an error that
was initially made in Postfix years ago, avoiding all set-ID
programs without realizing that set-ID is a necessarymechanism for
secure multi-user spooling when it is in this form. (See Bruce
Guenter's bcron <
http://untroubled.org/bcron/> for an example of an
alternative way that multi-user spooling can be structured using a
submission server and UCSPI-UNIX.)
The spool-processing dæmon itself does not need to run under the
aegis of this group, if it is simply started up already in its spool
directory using |chdir|
<
http://jdebp.eu./Softwares/nosh/guide/commands/chdir.xml> (or cd
<
http://skarnet.org./software/execline/cd.html> or equivalent) in
the |run| script. (This also means that it does not need to
hardcode the location of its spool directory. Its spool directory
is its working directory, where it works.)
*
Other security precautions: Dæmons such as this should /always/
|setuidgid|
<
http://jdebp.eu./Softwares/nosh/guide/commands/setuidgid.xml> away
from the superuser in their |run| scripts to an account dedicated to
the dæmon. (Compare the |run| script in Bruce Guenter's nullmailer
<
http://untroubled.org/nullmailer/>.)
o
Jonathan de Boyne Pollard (2019). "Limiting services: Running
under the aegises of unprivileged user accounts
<
http://jdebp.eu./Softwares/nosh/guide/limiting-services.html#users>".
/nosh Guide/. Softwares.
o
https://unix.stackexchange.com/questions/450251/
*
Other spool-processing dæmon security measures: The dedicated user
account has no need to own /anything/, neither the spooled files nor
the spool directory itself. It needs only read+write+execute
permission on the spool directory, and read permission on the spool
files. Having ownership permission as well permits compromised
dæmons to change ACLs and permissions.
o
Jonathan de Boyne Pollard (2019). "Log service security:
Dedicated log user accounts
<
http://jdebp.eu./Softwares/nosh/guide/log-service-security.html#users>"./nosh
Guide/. Softwares.
*
Debian family operating system conventions: That has not been the
way to write a van Smoorenburg |rc| script for Debian family
operating systems since 2014.
o
Petter Reinholdtsen (2014-02-09). init-d-script
<
https://manpages.debian.org/stretch/sysvinit-utils/init-d-script.5.en.html>.
/File formats manual/. Debian.
*
C language standards: |stdout| is fully buffered if it is not an
interactive device, which a pipe is indeed not. |stderr| is of
course /not/ fully buffered.
*
Unix conventions: Logs go to standard error.
Received on Sun Jan 27 2019 - 14:39:16 UTC