From owner-freebsd-security  Mon Nov 18 04:24:07 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id EAA06612
          for security-outgoing; Mon, 18 Nov 1996 04:24:07 -0800 (PST)
Received: from homeport.org (lighthouse.homeport.org [205.136.65.198])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id EAA06592
          for <freebsd-security@freebsd.org>; Mon, 18 Nov 1996 04:23:54 -0800 (PST)
Received: (adam@localhost) by homeport.org (8.6.9/8.6.9) id HAA12293; Mon, 18 Nov 1996 07:20:17 -0500
From: Adam Shostack <adam@homeport.org>
Message-Id: <199611181220.HAA12293@homeport.org>
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
In-Reply-To: <E0vPLaR-0003jx-00@rover.village.org> from Warner Losh at "Nov 17, 96 09:45:35 pm"
To: imp@village.org (Warner Losh)
Date: Mon, 18 Nov 1996 07:20:16 -0500 (EST)
Cc: freebsd-security@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL27 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Warner Losh wrote:
| In message <9611180312.AA15775@communica.com.au> Mark Newton writes:

| : Removing shell escapes from .forward is, IMHO, of a similar league to
| : disabling the functionality of .rhosts files.  Shell escapes are, and always
| : have been, a feature which permits unaccountable abuses of security to
| : provide "ease of use" which only a small subset of users really care about.

| I'm sorry, but that is not an acceptible answer in a general purpose
| OS.  What you do on your system is OK, but that is *NOT* a good reason
| to remove sendmail from the base OS.  People expect the ability to run
| whatever they please, or at least a subset selected by the admin.  In
| order to do that, the mail agent must run as that person.  In order to
| do that, the mail agent must either run a setuid program that is
| accessible to the mail delivery agent (and likely others), or it must
| run as root.

	The Mail Delivery Agent must run as root, and set its uid to 
recipient.  I've used a non-root sendmail with setuid procmail to make
this work just fine.  We should all be thinking in terms of seperation
of privledge and least privledge.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume