From owner-freebsd-security Sun Nov 17 21:31:19 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA11811 for security-outgoing; Sun, 17 Nov 1996 21:31:19 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA11798 for ; Sun, 17 Nov 1996 21:31:10 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id WAA25009; Sun, 17 Nov 1996 22:30:45 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id WAA00963; Sun, 17 Nov 1996 22:30:24 -0700 (MST) Date: Sun, 17 Nov 1996 22:30:19 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Warner Losh cc: Mark Newton , freebsd-security@FreeBSD.ORG Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk While agree with what Warner says below, I think Warner would agree that there is no reason that there should not be a fast easy no-brains method of switching to a more secure system, with the accompanying limitations, if so desired. While I don't see things like sendmail and lpd moving out of the base distribution anytime soon, I do think that it would be an excellent idea to let (and encourage; like a big screen in sysinstall letting you go through a menu driven procedure) more secure alternatives be implemented without the admin (who, in many cases, isn't someone who admins Unix for a living) having to do a lot of work. I have a grand scheme for a program that is a frontend to things like: - removing the setuid bit from programs you don't use, and giving you a nice explaination of what the effects are - installing and configuring tcp wrappers - configuring automated logging and notification of important security events; ie. a setup program for something like swatch. - updating your system with recent patches for things like the bazillion holes that have been found in the past, are being found now, and will be found long into the future. - shooting intruders on sight. This would be implemented with either one big program or, more likely, a bunch of little programs with a consistent pretty (ie. sysinstall like, although libdialog is ugly) interface and a parent program that lets you run any of them. Perhaps some day I will get around to trying to make such a program. If someone is too stupid to care at all about security, that's their problem. I think, however, that there are a lot of people out there who do care, but have neither the knowledge or the time to doo a lot about it. On Sun, 17 Nov 1996, Warner Losh wrote: > I'm sorry, but that is not an acceptible answer in a general purpose > OS. What you do on your system is OK, but that is *NOT* a good reason > to remove sendmail from the base OS. People expect the ability to run > whatever they please, or at least a subset selected by the admin. In > order to do that, the mail agent must run as that person. In order to > do that, the mail agent must either run a setuid program that is > accessible to the mail delivery agent (and likely others), or it must > run as root.