From owner-freebsd-questions  Sun Dec  6 07:49:16 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA08092
          for freebsd-questions-outgoing; Sun, 6 Dec 1998 07:49:16 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from emu.sourcee.com (emu.sourcee.com [199.201.159.173])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA08087
          for <freebsd-questions@FreeBSD.ORG>; Sun, 6 Dec 1998 07:49:14 -0800 (PST)
          (envelope-from nrice@emu.sourcee.com)
Received: (from nrice@localhost)
	by emu.sourcee.com (8.9.1/8.9.1) id KAA15209;
	Sun, 6 Dec 1998 10:48:48 -0500 (EST)
Message-ID: <19981206104847.A15176@emu.sourcee.com>
Date: Sun, 6 Dec 1998 10:48:47 -0500
From: "Norman C. Rice" <nrice@emu.sourcee.com>
To: mike grommet <mgrommet@ns.insolwwb.net>,
        Timothy J Luoma <public+FreeBSD@fdt.net>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Advice on sendmail / execution of programs through .forward
References: <199812052049.PAA08277@ocalhost> <Pine.BSI.4.05L.9812060925330.12934-100000@ns.insolwwb.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91.1i
In-Reply-To: <Pine.BSI.4.05L.9812060925330.12934-100000@ns.insolwwb.net>; from mike grommet on Sun, Dec 06, 1998 at 09:28:55AM -0600
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, Dec 06, 1998 at 09:28:55AM -0600, mike grommet wrote:
> 
> 
> On Sat, 5 Dec 1998, Timothy J Luoma wrote:
> 
> > 	Author:	mike grommet <mgrommet@insolwwb.net>
> > 	Date:	Fri, 4 Dec 1998 14:06:35 -0600
> > 	ID:	<A199D70FC96DD211AD1000609767926103598F@ISIMAIL>
> > 
> > I think removing the execute bit for regular users is the real answer.
> > 
> > 
> > > I mean, it seems quite possible for a user to upload some sort
> > > of exploit and an appropriate  .forward via ftp, send mail to
> > > himself and WHAM. Life gets real bad.
> > 
> > Why let them FTP anything?
> > 
> > TjL
> 
> This machine allows the keeping of personal user pages, but no cgi
> access, so they do need to be able to upload files to the machine...
> 
> I just cant believe that theres not some way to make it so sendmail
> cant all but certain files, or somesuch...
> 
> and I cant disallow forwards either because this machine hosts various web
> pages / domains for folks who need their incoming mail forwarded to other
> ISP's for their own pick up.

Disallow/turn off support for ~/.forward and simply add an entry
to /etc/aliases for the required mail forwarding. Be sure to run
newaliases after making the changes. This way you will be able to
ensure that no hanky-panky is being performed with the mail
forwarding.
-- 
Regards,
Norman C. Rice, Jr.

> 
> 
> Grrr... I'm stuck.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message