Dan M wrote:
quoted text
> On Tue, Jun 10, 2008 at 7:27 AM, Max Lindner <gisanka@googlemail.com> wrote:
>> Hi out there!
>>
>> Seems that the general tenor goes to a separate utility/helper
>> application with suid-bit set which takes over the steps where
>> root-access is compulsory. I will take a look at qmail which seems to
>> have a similar design (as I read in the other dma thread which came up
>> last week).
> 
> The only qmail program that runs setuid is qmail-queue. All critical
> programs run under separate user/group ids.
> 
> qmail-local - the program that delivers into a user's mailbox runs as root.
> 
> In short qmail does as little as possible as root, all qmail programs
> do not trust each other.
> http://cr.yp.to/qmail/guarantee.html
> 
> Here are the diagrams of how things work:
> http://www.axz.de/qmail/pix/index.html


I forgot to mention that it would be worth researching (reading docs and 
man pages) and installing and running it to really understand the 
beautiful design.

Also, for this, or any other service where security counts I would 
highly recommend using a safe, easy to use string library such as the 
one included in  libowfat: http://www.fefe.de/libowfat/

The standard C string functions, as the history continues to prove us 
(and we continue to ignore it), SUCK for writing secure software. You 
don't want to end up with either buffer overflows or string escape 
vulnerabilities, etc.