top | item 23249123

(no title)

allover | 5 years ago

So the app is vulnerable by default, yet the author is claiming this doesn't matter, because he instructs how to run it in a safe way?

Correct, or am I oversimplifying/missing something?

discuss

icedchai|5 years ago

qmail last had an official release in the late 90's. everything else is third-party forks / patches. Back in the day, I upgraded many systems from sendmail to qmail. However, that was a very long time ago... It's been over 15 years since I've done something like that.

Nowadays, the author should be telling people to install postfix.

gowld|5 years ago

The app is vulnerable if it runs in an unsafe environment that allows qmail to access more than 4GB (an absurdly large value when qmail was published in 1997 -- it would cost $5000 plus a rare, expensive machine to hold it).

djb's view is that the environment is the responsibility of the admin, not the program's responsibility to enforce sane defaults. This is of course debatable.

If the admin uses a recommended environment (low memory limit), there is no exploitability.

allover|5 years ago

So it's not secure by default.

loeg|5 years ago

Correct.

edoceo|5 years ago

Maybe add a reference to how ElasticSearch (or some other new-pop tech) catches heck for the same?

allover|5 years ago

I think you're being downvoted because other things being insecure is not relevant or an excuse.

edoceo|5 years ago

I'll reply to myself because I cannot edit now.

I meant: my parent comment (@allover) was missing a reference to how ES is insecure by default, this community gives them heck (rightly so) and that this comparison (qmail v. ES) could have been added (ie: was missing) from his post.

For a result of: this is a qmail bug that could/should be fixed AND ES should fix theirs too.

I'm for sure (I thought obviously) not excusing either qmail or ES from being insecure by default or for their "fix" to be: "you're doing it wrong".

I don't think my karma will ever recover from this (Tiger King joke)