From owner-freebsd-security  Mon Nov 18 10:34:38 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id KAA03302
          for security-outgoing; Mon, 18 Nov 1996 10:34:38 -0800 (PST)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id KAA03296
          for <freebsd-security@FreeBSD.org>; Mon, 18 Nov 1996 10:34:34 -0800 (PST)
Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id KAA15915; Mon, 18 Nov 1996 10:32:32 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199611181832.KAA15915@salsa.gv.ssi1.com>
Date: Mon, 18 Nov 1996 10:32:32 -0800
In-Reply-To: Ben Black <black@gage.com>
       "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18, 11:49am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Ben Black <black@gage.com>, Bill Fenner <fenner@parc.xerox.com>
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
Cc: freebsd-security@FreeBSD.org
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Nov 18, 11:49am, Ben Black wrote:
} Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
} >It is, of course, possible to run as root for *just long enough* to bind to 
} >port 25.  Then setuid("smtp").
} >
} 
} even better would be finer grained control over access to low numbered ports  
} so you wouldn't need to be root to bind port 25.

Be careful, that blade cuts both ways.  If you do this then you only need
to be able to gain access to the smtp user in order to steal the mail.  This
may be easier than attacking root.

			---  Truck