From owner-freebsd-security  Mon Nov 18 21:22:29 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id VAA16242
          for security-outgoing; Mon, 18 Nov 1996 21:22:29 -0800 (PST)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA16236
          for <freebsd-security@FreeBSD.org>; Mon, 18 Nov 1996 21:22:24 -0800 (PST)
Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id WAA04323; Mon, 18 Nov 1996 22:22:09 -0700 (MST)
Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id WAA00676; Mon, 18 Nov 1996 22:21:50 -0700 (MST)
Date: Mon, 18 Nov 1996 22:21:49 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
X-Sender: marcs@alive.ampr.ab.ca
To: Poul-Henning Kamp <phk@critter.tfs.com>
cc: freebsd-security@FreeBSD.org
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). 
In-Reply-To: <9172.848302243@critter.tfs.com>
Message-ID: <Pine.BSF.3.95.961118220414.523B-100000@alive.ampr.ab.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

All arguments about just how much of a MTA needs to bet setuid and why it
can/can't be that way in real/fake life, do people think what phk suggests
would be a useful thing, either as a seperate patch or in the base kernel? 

It is trivial to implement; took 10 minutes to hack together a limited
version (ie. uses names like net.inet.tcp.uidforport_25 because I didn't
feel like creating a new level just for my hack and all the ports aren't
implemented). 

The biggest problem I see to implementing such a thing is that I can't see
a pretty way to make it fit into the sysctl mold without having 1024
lines, one for each port < 1024.  Anyone have any ideas on how to do that
nicely or if 1024 lines is ok?

On Mon, 18 Nov 1996, Poul-Henning Kamp wrote:

> What we REALLY need, is a way for root, to hand out certain priviledges.
> 
> Imagine this:
> 
> 	sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp`
> 	sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp`
> 	sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp`
> 	sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp`
> 
> This means that users with UID smtp can bind to socket 25 (aka smtp),
> and so on.  Now sendmail NEVER needs to be root.
> 
> How's that for security ?