Date: Mon, 18 Nov 1996 12:15:30 -0500 (EST) From: pgiffuni@fps.biblos.unal.edu.co To: Marc Slemko <marcs@znep.com> Cc: Poul-Henning Kamp <phk@critter.tfs.com>, freebsd-security@FreeBSD.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Message-ID: <Pine.A41.3.95.961118121335.36840B-100000@fps.biblos.unal.edu.co> In-Reply-To: <Pine.BSF.3.95.961118081010.4525A-100000@alive.ampr.ab.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I run it under inetd, as tcp_wrappers needs it there. BTW if some is writing from an "UNKNOWN" host I can`t hear you !! Pedro. On Mon, 18 Nov 1996, Marc Slemko wrote: > What does sendmail need to do WRT binding to ports that a webserver > doesn't? Programs such as webservers work quite well with a parent > process running as root that binds to the port and forks childs running as > some non-root uid to handle requests. Why couldn't (this part) of > sendmail's problems be fixed the same way? > > On Mon, 18 Nov 1996, Poul-Henning Kamp wrote: > > > What we REALLY need, is a way for root, to hand out certain priviledges. > > > > Imagine this: > > > > sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp` > > sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp` > > sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp` > > sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp` > > > > This means that users with UID smtp can bind to socket 25 (aka smtp), > > and so on. Now sendmail NEVER needs to be root. > > > > How's that for security ? > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.A41.3.95.961118121335.36840B-100000>