From owner-freebsd-security Thu Nov 21 03:14:12 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA18181 for security-outgoing; Thu, 21 Nov 1996 03:14:12 -0800 (PST) Received: from al.imforei.apana.org.au (al.imforei.apana.org.au [202.12.89.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA18134 for ; Thu, 21 Nov 1996 03:13:14 -0800 (PST) Received: (from pjchilds@localhost) by al.imforei.apana.org.au (beBop) id VAA27330; Thu, 21 Nov 1996 21:42:22 +1030 (CST) Date: Thu, 21 Nov 1996 21:42:22 +1030 (CST) From: Peter Childs Message-Id: <199611211112.VAA27330@al.imforei.apana.org.au> To: newton@communica.com.au (Mark Newton), freebsd-security@freebsd.org Cc: miff@spam.frisbee.net.au Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). X-Newsreader: TIN [UNIX 1.3 unoff BETA release 961020] Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article <9611180435.AA17191@communica.com.au> you wrote: : Michael Smith wrote: : : > Mark's sense of warmth is perhaps slightly over-smug, : Have you ever known me to be any different? :-) : > but his point is : > valid. In fact, if it were possible to be non-root and bind to port 25, : That's a wonderful point: The only reason sendmail needs root to bind to : port 25 as a daemon is because of the rather UNIX-centric view that TCP/IP : ports less than 1024 can only be allocated by a privileged user. TCP/IP : implementations on non-UNIX platforms disagree violently with this : assumption, which makes the value of this "security" feature rather dubious. : It would be foolish of me to argue to have it changed, though :-) I'm just doing a little bit of poking and from what i can see all calls to bindresvport() go through bind() to the bind syscall. The bind syscall ends up in in_pcbbind (note pg 444 and 462 4.4BSD daemon book) and this bit does the check and returns EACCES on IPPORT_RESERVED && uid == root. Could an additional check in here just be used to check that if port requested is 25 and uid == mailmanager's uid then OK it? Am I missing something, or is this fairly trivial. It "seems" pretty hackish to do it in the kernel but as a "quick fix" would this do the job? Regards, Peter -- Peter Childs --- http://www.imforei.apana.org.au/~pjchilds Finger pjchilds@al.imforei.apana.org.au for public PGP key Drag me, drop me, treat me like an object!