To show the effectiveness of netAuth we ported a UBNS service. We have not yet attempted to port a service which is not UBNS organized (such as Apache), as that is a far more difficult problem. We chose an application, dovecot, which supports both privilege separation and UBNS.
Dovecot is an open source IMAP and POP mail server (and is included in Linux distributions such as Debian and Ubuntu). Users can access dovecot-based services remotely using a Mail Viewer Agent (MVA) such as Thunderbird or Outlook. The MVA on the client communicates with dovecot using the IMAP or POP protocols over SSL or unencrypted connections.
Dovecot was built with security as a primary goal. Since January 2006, its developer has offered an as-yet-uncollected reward of 1000 Euro for the first provable security hole9. To support both privilege separation and UBNS, dovecot has four process types, running under root, dovecot pseudo user, and the user retrieving her mail, as shown in Table 4.
Table 5, shows the code organization of the dovecot distribution supporting IMAP (v1.0.9)10. Dovecot also uses pam, crypto, and ssl libraries which are not included in these line counts. The source distribution to support IMAP is 24,628 lines of code, of which 9,30711 (37.8%) are associated with authentication and encryption. The port consisted of removing this code, and copying over less than 1,000 lines from master (configuration and the concurrent server loop) and login (the initial handshake code) to imap.
The port reduces the number of process types from four to one. With a traditional Unix authorization model, the port still requires root to bind to port 143 and to do setuid; but unlike the pre-port version, our imap process never reads user input while running as root and thus is not subject as root to buffer overflow attack. (The privileges can be still reduced further using netAuth's authorization model).
When implementing a imap service from scratch, only 4 netAuth specific lines would be needed to provide authentication and encryption over that required for an unauthenticated service.