[CentOS] OT: question on setting up an email server
Feizhou
feizhou at graffiti.net
Thu Jun 23 17:28:58 UTC 2005
Aleksandar Milivojevic wrote:
> Feizhou wrote:
>
>> Ooh, I am so worried.
>>
>> My 16GB RAM server runs qmail-smtpd with no memory limits out of inetd
>> on a FreeBSD 5.0 box on Opteron hardware and now I am vulnerable.
>>
>> The 'exploit' might be possible IF you explicitly give the qmail-smtpd
>> process unlimited memory and you have more than 4GB RAM available and
>> you also run on an Opteron with FreeBSD 5.0.
>
>
> People do stupid things from time to time. And people also make stupid
> typos in config files from time to time. Esp. if they are newbees. So
> yes, some newbee that has oversized machine could give qmail-smtpd
> unlimited memory (or simply too much memory).
When does a newbie gets a monster box to play with? Any box running an
Opteron with more than 4GB of RAM is going to be pricey...of course this
is beside the point. Hence Russel Nelson's wish that DJB would update
his documentation so that newbies who manage to get a working system
just using the documentation that comes with the source tarball won't
shoot themselves in the foot.
>
> Blindly assuming something fits into 32-bits and not doing checks is a
> bug. It might be theoretical bug that will not manifest itself in
> normal, standard or whatever you want to call them configurations, but
> still bug. Qmail should either check its memory limit and refuse to run
> if it was given too much (so that things do not fit into 32-bits
> anymore), or it should do proper checks and/or use proper types to
> prevent overflows.
DJB has already stated a long time ago that this should be done by the
OS or available tools.
http://cr.yp.to/docs/resources.html (linked to from
http://cr.yp.to/qmail/guarantee.html cor, this page got an update...)
>
> After all, there's that famous quote from Bill Gates: "640K ought to be
> enough for anybody". Who knows, maybe one day we'll be quoting qmail
> author instead: "32 bits ought to be enough for anybody".
I highly doubt it since he said nothing of the sort.
More information about the CentOS
mailing list