The client has had e-mails show up in court - presented by a 3rd party - that were confidential between him and his client. He feels someone undeleted the files on the server and retrieved the mail. I think there are other factors involved, like a simple username/password attack against the mail server. For all I know, he might have a keylogger or a trojan horse installed on his workstation. From what I've heard about this person, it would not surprise me if someone at his ISP or web host was bribed to snoop his traffic. He made several enemies and has become a high profile target. At this point, the project is not moving forward, so it made for an interesting discussion. George Toft, CISSP, MSIS 623-203-1760 "That which does not kill us makes us stronger." Darrin Chandler wrote: > If root can maintain the box, root can read the mail. It may be *harder* > for root to read the mail, but it can be done. Otherwise you'd have to > do odd things like boot from CD/floppy to upgrade the kernel, etc. If > you can upgrade the kernel as root you can do *anything*. > > I am NOT saying that SELinux (or whatever else) is a bad thing, or that > it's not appropriate in this setting. But realize what security you are > and are not getting. > > Seeing those three requirements makes me wonder what the attack trees > and risk analysis look like for this project. Are you at liberty to > share any of that? > > On Thu, Oct 05, 2006 at 09:26:21AM -0700, George Toft wrote: > >>As I understand SELinux, mandatory access controls and labels, the >>security administrator can set up a security policy that will lock root >>out of everything. Granted that is not very useful, but it is a >>demonstration of separation of privilege, and severely restricts what a >>person can do. >> >>The goal of this requirement is to prevent an attacker who may have >>gained root from reading the mail queue. >> >>George Toft, CISSP, MSIS >>623-203-1760 >> >>"That which does not kill us makes us stronger." >> >> >> >>Darrin Chandler wrote: >> >>>George Toft wrote: >>> >>> >>>>Requirements: >>>>2. Files owned by vpopmail:vchkpw can only be read by said user:group - >>>>this includes root. We need to lock root (and every other user) out of >>>>the messages. >>>> >>> >>> >>>>#2 sounds like a job for SELinux. Alternatives are welcome :) >>>> >>> >>> >>>You mean keep out junior sysadmins who have root access, or really keep >>>root out? I don't know of any way to really keep root out. Root has >>>access to everything. Period. Crypto can't solve it, unless the system >>>only has access to the cyphertext (if you encrypt/decrypt locally then >>>root can read the plaintext from memory, and/or get the key and read >>>everything). Different schemes have been proposed and implemented so >>>that root can't do this or that but none that I know of really work >>>against a sophisticated attacker, because in *nix "root == the system." >>> >>>If you (wisely) take it as a given that root can compromise your box, >>>then your problem becomes locking down root access. There are pretty >>>effective, well known ways to do that. >>> >>> >> >>--------------------------------------------------- >>PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>To subscribe, unsubscribe, or to change you mail settings: >>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss