From owner-freebsd-security  Sun Nov 17 23:31:41 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA18718
          for security-outgoing; Sun, 17 Nov 1996 23:31:41 -0800 (PST)
Received: from critter.tfs.com ([140.145.230.177])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA18700;
          Sun, 17 Nov 1996 23:31:17 -0800 (PST)
Received: from critter.tfs.com (localhost.phk.dk [127.0.0.1]) by critter.tfs.com (8.8.2/8.8.2) with ESMTP id IAA09174; Mon, 18 Nov 1996 08:30:43 +0100 (MET)
To: Michael Smith <msmith@atrad.adelaide.edu.au>
cc: imp@village.org (Warner Losh), newton@communica.com.au,
        batie@agora.rdrop.com, adam@homeport.org,
        pgiffuni@fps.biblos.unal.edu.co, freebsd-security@FreeBSD.org
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). 
In-reply-to: Your message of "Mon, 18 Nov 1996 14:05:04 +1030."
             <199611180335.OAA17231@genesis.atrad.adelaide.edu.au> 
Date: Mon, 18 Nov 1996 08:30:43 +0100
Message-ID: <9172.848302243@critter.tfs.com>
From: Poul-Henning Kamp <phk@critter.tfs.com>
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <199611180335.OAA17231@genesis.atrad.adelaide.edu.au>, Michael Smith
 writes:
>Warner Losh stands accused of saying:
>> 
>> I don't buy this.  You need to be able to create a mailbox of an
>> arbitrary user, and then write to that mailbox with that user's uid,
>> or to a shell of that user's uid.  To do otherwise would introduce
>> other security problems, some of which have been beat to death in the
>> freebsd lists.
>> 
>> What am I missing?
>
>mail.local.
>
>Mark's sense of warmth is perhaps slightly over-smug, but his point is
>valid.  In fact, if it were possible to be non-root and bind to port 25,
>then sendmail could be run non-root in daemon mode and not be called from
>cron (which Mark omitted to mention).

What we REALLY need, is a way for root, to hand out certain priviledges.

Imagine this:

	sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp`
	sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp`
	sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp`
	sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp`

This means that users with UID smtp can bind to socket 25 (aka smtp),
and so on.  Now sendmail NEVER needs to be root.

How's that for security ?

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.