Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 20 Nov 1996 02:38:52 +0100 (MET)
From:      Mikael Karpberg <karpen@ocean.campus.luth.se>
To:        marcs@znep.com (Marc Slemko)
Cc:        phk@critter.tfs.com, freebsd-security@FreeBSD.ORG
Subject:   Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
Message-ID:  <199611200138.CAA23822@ocean.campus.luth.se>
In-Reply-To: <Pine.BSF.3.95.961118220414.523B-100000@alive.ampr.ab.ca> from Marc Slemko at "Nov 18, 96 10:21:49 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
According to Marc Slemko:
> All arguments about just how much of a MTA needs to bet setuid and why it
> can/can't be that way in real/fake life, do people think what phk suggests
> would be a useful thing, either as a seperate patch or in the base kernel? 
> 
> It is trivial to implement; took 10 minutes to hack together a limited
> version (ie. uses names like net.inet.tcp.uidforport_25 because I didn't
> feel like creating a new level just for my hack and all the ports aren't
> implemented). 

If it's trivial... Could someone take this suggestion seriously and
simply implement it? Since nothing will happen unless you use it, it's
safe as a default compability, and it gives additional freedom for more
secure setup.

> The biggest problem I see to implementing such a thing is that I can't see
> a pretty way to make it fit into the sysctl mold without having 1024
> lines, one for each port < 1024.  Anyone have any ideas on how to do that
> nicely or if 1024 lines is ok?

I think it's acceptable wtih 1024 lines. Really... If all ports default
to root only, how many lines would you have? Do you use all ports < 1024?
And of many of those things run under inetd , which has to run as root
anyway. You will probably never use more then a few lines. 

> On Mon, 18 Nov 1996, Poul-Henning Kamp wrote:
[...]
> > 	sysctl -w net.inet.tcp.uidforport.25=`id -ur smtp`
> > 	sysctl -w net.inet.tcp.uidforport.20=`id -ur ftp`
> > 	sysctl -w net.inet.tcp.uidforport.21=`id -ur ftp`
> > 	sysctl -w net.inet.tcp.uidforport.119=`id -ur nntp`
[...]

Just my $0.02
  /Mikael

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611200138.CAA23822>