From owner-freebsd-security  Mon Nov 18 07:49:45 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA23256
          for security-outgoing; Mon, 18 Nov 1996 07:49:45 -0800 (PST)
Received: from fps.biblos.unal.edu.co ([168.176.37.11])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA23238
          for <freebsd-security@freebsd.org>; Mon, 18 Nov 1996 07:49:30 -0800 (PST)
From: pgiffuni@fps.biblos.unal.edu.co
Received: from localhost by fps.biblos.unal.edu.co (AIX 4.1/UCB 5.64/4.03)
          id AA20872; Mon, 18 Nov 1996 10:53:24 -0500
Date: Mon, 18 Nov 1996 10:53:24 -0500 (EST)
To: Warner Losh <imp@village.org>
Cc: Mark Newton <newton@communica.com.au>, Alan Batie <batie@agora.rdrop.com>,
        adam@homeport.org, freebsd-security@freebsd.org
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). 
In-Reply-To: <E0vPJrb-0003cC-00@rover.village.org>
Message-Id: <Pine.A41.3.95.961118104943.22356B-100000@fps.biblos.unal.edu.co>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


On Sun, 17 Nov 1996, Warner Losh wrote:

> In message <9611180247.AA15359@communica.com.au> Mark Newton writes:
> : indeed, precisely what I have done with it here at Communica, where 
> : sendmail runs as the unprivileged "smtp" user).
> 
> I don't buy this.  You need to be able to create a mailbox of an
> 
> What am I missing?
>
I haven`t done that either, but some firewall software do it. I only
change the deamon`s uid in the sendmail.cf so that it will use an
unprivileged user that doesn`t even own a shell, as is explained in the
CERT advisory.

Pedro.

> Warner
>