Date: Sun, 17 Nov 1996 21:10:50 -0800 (PST) From: Brion Moss <brion@queeg.com> To: "Daniel O'Callaghan" <danny@panda.hilink.com.au> Cc: Mark Newton <newton@communica.com.au>, freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Message-ID: <199611180510.VAA08087@coven.queeg.com> In-Reply-To: <Pine.BSF.3.91.961118151334.279E-100000@panda.hilink.com.au> References: <9611180247.AA15359@communica.com.au> <Pine.BSF.3.91.961118151334.279E-100000@panda.hilink.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel O'Callaghan writes:
> On Mon, 18 Nov 1996, Mark Newton wrote:
> > Of course, one of the main reasons why sendmail is so "dangerous" is that
> > despite fifteen years of it-hurts-when-I-do-this style experience, we *still*
> > run it as root! Why do we do this? Why does nobody understand that a UNIX
> > process can't just gratuitously gain privileges unless some other privileged
> > program gives them away? Given sendmail's history, why do so many people
> > still trust it with root privileges when it doesn't actually need them?!
> >
> > sendmail really only needs root so that it can bind to the "privileged"
> > port 25 when it's running in daemon mode. If you frob filesystem permissions
> > sufficiently you can get away without providing sendmail with root
> > privileges by running it with a non-root uid out of inetd (which is,
> > indeed, precisely what I have done with it here at Communica, where
> > sendmail runs as the unprivileged "smtp" user).
>
> I've been thinking about this, too. Why *does* sendmail need to run as root?
> a) to bind to port 25 (fixable with inetd, and other ways)
> b) to operate on the mail queue (fixable with a group 'mail' or somesuch)
> c) to deliver local mail - nope, /usr/libexec/mail.local is suid root to
> do this.
>
> Are there any other reasons?
>
> Danny
Maybe this is a bit too obvious a suggestion, but why not look at the
Sendmail Installation and Operation Guide (found in doc/op of the
sendmail distribution (try not to laugh when you read the first line):
4.7.1. To suid or not to suid?
Sendmail can safely be made setuid to root.
At the point where it is about to exec(2) a mailer,
it checks to see if the userid is zero; if so, it
resets the userid and groupid to a default (set by
the u and g options). (This can be overridden by
setting the S flag to the mailer for mailers that
are trusted and must be called as root.) However,
this will cause mail processing to be accounted
(using sa(8)) to root rather than to the user send-
ing the mail.
If you don't make sendmail setuid to root, it
will still run but you lose a lot of functionality
and a lot of privacy, since you'll have to make the
queue directory world readable. You could also
make sendmail setuid to some pseudo-user (e.g.,
create a user called "sendmail" and make sendmail
setuid to that) which will fix the privacy problems
but not the functionality issues. Also, this isn't
a guarantee of security: for example, root occa-
sionally sends mail, and the daemon often runs as
root.
So, with careful thought, we could probably drop that pesky bit...
-Brion
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611180510.VAA08087>