Porting applications to netAuth

To show the effectiveness of netAuth we ported a UBNS service. We have not yet attempted to port a service which is not UBNS organized (such as Apache), as that is a far more difficult problem. We chose an application, dovecot, which supports both privilege separation and UBNS.

Table 4: Dovecot processes and their respective user ID's. Here $U$ refers to the user ID of the (remote) user whose is accessing her mail.

Process name	executable name	user ID
master	dovecot	root
auth	dovecot-auth	root
login	imap-login	dovecot
	pop3-login	dovecot
imap	imap	$U$

Dovecot is an open source IMAP and POP mail server (and is included in Linux distributions such as Debian and Ubuntu). Users can access dovecot-based services remotely using a Mail Viewer Agent (MVA) such as Thunderbird or Outlook. The MVA on the client communicates with dovecot using the IMAP or POP protocols over SSL or unencrypted connections.

Dovecot was built with security as a primary goal. Since January 2006, its developer has offered an as-yet-uncollected reward of 1000 Euro for the first provable security hole⁹. To support both privilege separation and UBNS, dovecot has four process types, running under root, dovecot pseudo user, and the user $U$ retrieving her mail, as shown in Table 4.

Table 5, shows the code organization of the dovecot distribution supporting IMAP (v1.0.9)¹⁰. Dovecot also uses pam, crypto, and ssl libraries which are not included in these line counts. The source distribution to support IMAP is 24,628 lines of code, of which 9,307¹¹ (37.8%) are associated with authentication and encryption. The port consisted of removing this code, and copying over less than 1,000 lines from master (configuration and the concurrent server loop) and login (the initial handshake code) to imap.

The port reduces the number of process types from four to one. With a traditional Unix authorization model, the port still requires root to bind to port 143 and to do setuid; but unlike the pre-port version, our imap process never reads user input while running as root and thus is not subject as root to buffer overflow attack. (The privileges can be still reduced further using netAuth's authorization model).

When implementing a imap service from scratch, only 4 netAuth specific lines would be needed to provide authentication and encryption over that required for an unauthenticated service.

Table 5: Table with lines of code in the various directories in dovecot. The command `cat *.c *.h | grep ";" | wc -l' was used to determine this count.

directory	total lines of code
master	2,460
auth	5,469
imap-login	484
imap	3,456
lib-auth	490
lib	6,268
login-common	1,138
lib-imap	1,069
lib-settings	101
lib-ntlm	304
lib-sql	882
lib-dict	470
lib-storage	574
lib-mail	1,463
total	24,628

process	dovecot's libraries used	total lines of code	dynamic libraries
master	lib	8,728
auth	lib, lib-settings,	13,024	pam
	lib-ntlm, lib-sql		crypto
login	lib, login-common,	9,449	ssl
	lib-auth, lib-imap		crypt
imap	lib, lib-dict, lib-mail, lib-imap, lib-storage	13,300	ssl