Date: Wed, 14 May 1997 11:19:26 +0200 From: j@uriah.heep.sax.de (J Wunsch) To: current@FreeBSD.ORG Subject: Re: RELENG_2_2 Message-ID: <19970514111926.DF34579@uriah.heep.sax.de> In-Reply-To: <7493.863510486@time.cdrom.com>; from Jordan K. Hubbard on May 13, 1997 01:01:26 -0700 References: <19970513071838.JT48650@uriah.heep.sax.de> <7493.863510486@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
As Jordan K. Hubbard wrote: > But I'm still waiting for someone to explain to me how making dtmail > and/or some of the other mail agents suid root is any *less* of a > security hole and all exchanges to date have, rather frustratingly, > gone something like this: Thomas admitted that dtmail is unintelligible. This alone precludes it from becoming set<any>id. > "Look, dtmail is the *only thing* which will even use this friggin' mail > group right now and so making it group writable by mail is hardly the > enormous security hole that everyone makes it out to be. You'd prefer > dtmail to be suid root?? What about things like popper? popper is _way_ smaller, basically intelligible, does not provide the usual dangerous interfaces of MUAs (like spawning shells etc.). I can live with 10 poppers being setuid root, if this saves me from an MUA being set[ug]id at all. > However, by doing this we're going to create a fork > since I *must* to have this problem solved for the FreeBSD Desktop/Pro > release and if there has to be something divergent in that version of > FreeBSD then diverge it will. I'm not willing to have dtmail broken > in this release and Thomas Roell cannot fix this "correctly" in the > time-span available to him, ... Did he ever try to hire someone to fix this particular problem? -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970514111926.DF34579>