From owner-freebsd-bugs Sun Mar 23 07:52:43 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA11284 for bugs-outgoing; Sun, 23 Mar 1997 07:52:43 -0800 (PST) Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id HAA11273; Sun, 23 Mar 1997 07:52:29 -0800 (PST) Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id QAA02146; Sun, 23 Mar 1997 16:51:52 +0100 Received: (from j@localhost) by uriah.heep.sax.de (8.8.5/8.8.5) id QAA13621; Sun, 23 Mar 1997 16:29:52 +0100 (MET) Message-ID: <19970323162952.NW34878@uriah.heep.sax.de> Date: Sun, 23 Mar 1997 16:29:52 +0100 From: j@uriah.heep.sax.de (J Wunsch) To: peter@spinner.DIALix.COM (Peter Wemm) Cc: dv@kis.ru (Dmitry Valdov), freebsd-bugs@freebsd.org, security-officer@freebsd.org Subject: Re: sendmail can't create PID file because of owner permission of /var/run References: <19970323153519.BW27841@uriah.heep.sax.de> <199703231520.XAA05026@spinner.DIALix.COM> X-Mailer: Mutt 0.60_p2-3,5,8-9 Mime-Version: 1.0 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: <199703231520.XAA05026@spinner.DIALix.COM>; from Peter Wemm on Mar 23, 1997 23:20:33 +0800 Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk As Peter Wemm wrote: > Hmm.. this makes me rather nervous.. safefile() is a sensative component > of the security system in sendmail to avoid .forward security holes and so > on. Any changes here could have devastating consequences. Yep, that's why i've Cc'ed you and the security officers. I didn't think it's a good fix either, but now i've got your attention. *grin* > IMHO, this patch is going 180 degrees in the wrong direction. We should > have the system directories and binaries root:bin and not group writeable. > NFS access makes uid and gid bin far too vulnerable. Hmm. Anybody who's going to share his /var/run over NFS deserves to be shot with coredumps not below 5 MB per day... Same for /var/log and /var/spool, to the least. (It might make sense to NFS-mount it for a diskless machine, but if you cannot trust your boot server, you shouldn't boot diskless at all.) OTOH, i don't see why it should be writeable to `bin' either, if at all, it should probably be writeable for `daemon'. Still, i think sendmail is doing silly at this point. (Note safefile() itself, but the use of safefile() for the PID file. But, yes, i know, one of the more embarassing vulnerabilities of sendmail recently was related to people allowed to restart the daemon...) -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)