In February, 1996, Daniel J. Bernstein released the first public beta
test version of qmail, a Message Transfer Agent (MTA). One of his
primary motivations for developing qmail was the notorious insecurity
of the "standard" UNIX MTA, sendmail.
Unlike sendmail, qmail was designed to be secure in today's hostile
Internet environment. It does as little as possible in setuid programs
and as little as possible as the superuser--and does nothing setuid
root. It does separate functions in separate, mutually untrusting
programs--breaking one function won't break the whole system. It
avoids error-prone parsing as much as it can. It keeps the distinction
between addresses and programs/files clear so it won't be tricked into
accessing the system in unintended ways. It is also small and simple,
yet surprisingly powerful, and was coded with almost fanatical care to
avoid security pitfalls.
The Challenge
Now that qmail version 1.01 is available, a group of qmail supporters
from the djb-qmail mailing list has pooled its resources and issued a
challenge to the UNIX security community intended to subject qmail to
the same kind of rigorous inspection that sendmail has been given.
They're offering a cash prize (currently $375, although $500 has been
pledged) to the first person or group to find a security bug in
qmail. Dan Bernstein has also offered his own $500 reward, but he
requires that the bug be present on a system with publicly available
source code so he can be sure the problem really lies with qmail, not
the operating system. Contact Dan for more information about his
offer.
Rules
1.The qmail Security Challenge, hereinafter to referred to as "The
Challenge", begins April 23, 1997, and ends when the prize is
awarded or at midnight, Eastern daylight savings time, April 23,
1998, whichever comes first.
2.The Challenge is being run by the Challenge Committee,
hereinafter referred to as "The Committee", consisting of Dave
Sill (chairman) and all bona fide donors. The Committee is
independent, and is not associated with any other organization.
3.A maximum of one prize will be awarded.
4.The prize will be a cashier's check in US dollars equal to the
total amount of the donations of the individual Committee members
plus any interest earned on the donations during The Challenge.
The prize is being held in escrow by the chairman and currently
totals three hundred seventy five US dollars (US$375).
5.Unclaimed prize money will be donated to the Free Software
Foundation after the contest ends.
6.To qualify for the prize, the bug must be in the current public
release of qmail at the time a claim is filed. For example, if a
bug is discovered in 1.01 after a subsequent release, but the bug
is fixed in the new release, it's disqualified.
7.Bugs that qualify for the prize, subject to the other conditions
outlined in these rules, must be one of the following:
Remote exploits that give login access.
Local or remote exploits that grant root privileges.
Local or remote exploits that grant read or write access to a
file the user can't normally access because of UNIX
access controls (owner/group/mode).
Local or remote exploits that cause any of the long-lived
qmail processes (currently: qmail-send, qmail-rspawn,
qmail-lspawn, or qmail-clean) to terminate.
8.The following types of bugs are specifically disqualified:
Exploits that involve corrupting DNS data, breaking TCP/IP,
breaking NFS, or denying service (except for the case
above).
Exploits based on bugs in the host operating system or other
non-qmail code (for example, it's not qmail's fault if
vendor X has a bug that allows users to exploit any
setuid program).
Exploits based on insecure shell commands in .qmail files
(for example, a .qmail file that grants login access
either intentionally or inadvertently).
Exploits based on insecure customized configuration beyond
the minimal install (i.e., normal modifications to
control files to set up virtual domains, etc, are OK, but
if the admin writes a program to rewrite headers, it's
not covered).
Exploits that are not reproducible by The Committee.
9.Claims will be tested on a system with a minimal qmail
configuration based on the INSTALL file included with the qmail
distribution, plus any qualifying modifications to
/var/qmail/control files specified by the claimant.
10.To submit a claim, details must be sent to dsill@highland.net
before the contest ends. Claims will be evaluated in the order
received. Entries will be acknowledged by return e-mail. The
Committee will not be responsible for unacknowledged entries. The
Committee will evaluate claims within sixty (60) days of
confirmed receipt of submission.
11.The Committee disclaims all liability for anything related to the
contest. The Committee will not award the prize to anyone who
causes any disruption in service to any system that is not the
responsibility of the claimant. We recommend that all testing be
done on systems dedicated to that purpose.
12.These rules can be modified at any time by The Committee. Rules
changes will be announced on the djb-qmail@koobera.math.uic.edu
mailing list. Claims will be evaluated against the most recently
announced rules at the time the claim is received by The
Committee.
This document is also available from
<URL:http://web.infoave.net/~dsill/qmail.html>.