Check out the new USENIX Web site.

Porting applications to netAuth

To show the effectiveness of netAuth we ported a UBNS service. We have not yet attempted to port a service which is not UBNS organized (such as Apache), as that is a far more difficult problem. We chose an application, dovecot, which supports both privilege separation and UBNS.

Table 4: Dovecot processes and their respective user ID's. Here $U$ refers to the user ID of the (remote) user whose is accessing her mail.
Process name executable name user ID
master dovecot root
auth dovecot-auth root
login imap-login dovecot
  pop3-login dovecot
imap imap $U$

Dovecot is an open source IMAP and POP mail server (and is included in Linux distributions such as Debian and Ubuntu). Users can access dovecot-based services remotely using a Mail Viewer Agent (MVA) such as Thunderbird or Outlook. The MVA on the client communicates with dovecot using the IMAP or POP protocols over SSL or unencrypted connections.

Dovecot was built with security as a primary goal. Since January 2006, its developer has offered an as-yet-uncollected reward of 1000 Euro for the first provable security hole9. To support both privilege separation and UBNS, dovecot has four process types, running under root, dovecot pseudo user, and the user $U$ retrieving her mail, as shown in Table 4.

Table 5, shows the code organization of the dovecot distribution supporting IMAP (v1.0.9)10. Dovecot also uses pam, crypto, and ssl libraries which are not included in these line counts. The source distribution to support IMAP is 24,628 lines of code, of which 9,30711 (37.8%) are associated with authentication and encryption. The port consisted of removing this code, and copying over less than 1,000 lines from master (configuration and the concurrent server loop) and login (the initial handshake code) to imap.

The port reduces the number of process types from four to one. With a traditional Unix authorization model, the port still requires root to bind to port 143 and to do setuid; but unlike the pre-port version, our imap process never reads user input while running as root and thus is not subject as root to buffer overflow attack. (The privileges can be still reduced further using netAuth's authorization model).

When implementing a imap service from scratch, only 4 netAuth specific lines would be needed to provide authentication and encryption over that required for an unauthenticated service.

Table 5: Table with lines of code in the various directories in dovecot. The command `cat *.c *.h | grep ";" | wc -l' was used to determine this count.
directory total lines of code
master 2,460
auth 5,469
imap-login 484
imap 3,456
lib-auth 490
lib 6,268
login-common 1,138
lib-imap 1,069
lib-settings 101
lib-ntlm 304
lib-sql 882
lib-dict 470
lib-storage 574
lib-mail 1,463
total 24,628
process dovecot's libraries used total lines of code dynamic libraries
master lib 8,728  
auth lib, lib-settings, 13,024 pam
  lib-ntlm, lib-sql   crypto
login lib, login-common, 9,449 ssl
  lib-auth, lib-imap   crypt
imap lib, lib-dict, lib-mail, lib-imap, lib-storage 13,300 ssl

Manigandan Radhakrishnan 2008-05-13