Date: Mon, 16 Nov 1998 14:04:05 -0600 From: William McVey <wam@sa.fedex.com> To: Warner Losh <imp@village.org> Cc: Matthew Dillon <dillon@apollo.backplane.com>, Andre Albsmeier <andre.albsmeier@mchp.siemens.de>, freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Message-ID: <199811162004.OAA18023@s07.sa.fedex.com>
next in thread | raw e-mail | index | archive | help
Warner Losh wrote: <snip> >sendmail needs to run as root to deliver mail and to bind to port 25. <snip> >lpd needs to run as root to access the files that it is printing, >and to bind to its listening port. inetd can start processes like sendmail (or lpd) as unprivileged users already bound to their ports. If the service is started with 'wait' configured, then the daemon is launched as a unprivileged user which has complete control of the socket for accepting new connections. I've seen this used successfully for mail relaying (sendmail started as "unprivileged" user smtp out of inetd). The smtp user can write the mail queue, and can invoke the setuid mail.local (which is set to root.mail 4750, so regular users can't play with it). Works like a charm. -- William To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199811162004.OAA18023>