From owner-freebsd-security  Thu Nov 21 04:25:15 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id EAA21088
          for security-outgoing; Thu, 21 Nov 1996 04:25:15 -0800 (PST)
Received: from lovely.spam.frisbee.net.au (lovely.spam.frisbee.net.au [202.0.75.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id EAA21064
          for <freebsd-security@freebsd.org>; Thu, 21 Nov 1996 04:25:09 -0800 (PST)
Received: from lovely.spam.frisbee.net.au (localhost [127.0.0.1]) by lovely.spam.frisbee.net.au (8.8.2/8.6.12) with SMTP id XAA03688; Thu, 21 Nov 1996 23:01:29 +1030 (CST)
Message-ID: <32944B9F.41C67EA6@spam.frisbee.net.au>
Date: Thu, 21 Nov 1996 23:01:27 +1030
From: michael smith <miff@spam.frisbee.net.au>
X-Mailer: Mozilla 3.01 (X11; I; FreeBSD 3.0-CURRENT i386)
MIME-Version: 1.0
To: Peter Childs <pjchilds@imforei.apana.org.au>
CC: Mark Newton <newton@communica.com.au>, freebsd-security@freebsd.org
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
References: <199611211112.VAA27330@al.imforei.apana.org.au>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Peter Childs wrote:
> 
>  I'm just doing a little bit of poking and from what i can see all
>  calls to bindresvport() go through bind() to the bind syscall.  The
>  bind syscall ends up in in_pcbbind (note pg 444 and 462 4.4BSD daemon
>  book) and this bit does the check and returns EACCES on
>  IPPORT_RESERVED && uid == root.
> 
>  Could an additional check in here just be used to check that if port
>  requested is 25 and uid == mailmanager's uid then OK it?

That's basically just hardcoding the more generic ideas bandied around
earlier.  The long-term solution is the "registry" concept, which
is
not really ready for showtime in any of the models that have been
discussed.

>  Am I missing something, or is this fairly trivial.  It "seems" pretty
>  hackish to do it in the kernel but as a "quick fix" would this do the
>  job?

You wouldn't get it into the main tree, but as a local modification it'd
most likely be effective.
 
>  Peter Childs  ---  http://www.imforei.apana.org.au/~pjchilds

-- 
Mike Smith  *BSD hack  Unix hardware collector
The question "why are the fundamental laws of nature mathematical"
invites the trivial response "because we define as fundamental those
laws which are mathematical".  Paul Davies, _The_Mind_of_God_