Date: Thu, 9 Jan 1997 15:35:12 +0100 From: Pierre.Beyssac@hsc.fr (Pierre Beyssac) To: adam@homeport.org (Adam Shostack) Cc: Pierre.Beyssac@hsc.fr (Pierre Beyssac), giles@nemeton.com.au, lyndon@esys.ca, moke@fools.ecpnet.com, freebsd-security@FreeBSD.ORG Subject: Re: sendmail running non-root SUCCESS! Message-ID: <Mutt.19970109153512.pb@sidhe.hsc.fr> In-Reply-To: <199701091347.IAA23487@homeport.org>; from Adam Shostack on Jan 9, 1997 08:47:03 -0500 References: <Mutt.19970109114424.pb@sidhe.hsc.fr> <199701091347.IAA23487@homeport.org>
next in thread | previous in thread | raw e-mail | index | archive | help
According to Adam Shostack: > Pierre Beyssac wrote: > | IMHO, it might be a good idea to develop an external "prog" mailer. > | It would handle all the setuid stuff required for mailing to programs. > | > | Regarding the .forward stuff, I'm not sure sendmail really needs to be > | setuid to handle that. > > You mean something like procmail which can be setuid and does mail > delivery? Not exactly (though I don't know procmail well enough: maybe it can do that too). Rather, something sendmail would call by giving it a program name and a user id to run it as. For example, supposing a ~user/.forward is \user, "| /home/user/bin/myownstuff" sendmail could process the .forward as usual, but it would call the external prog mailer to ask it to run "/home/user/bin/myownstuff" as "user" and pipe the mail to it. Obviously it has to be more complicated than that or it would be a trivial new hole in the system (we can't rely on just checking that sendmail is calling us, that would not make us immune to attacks on sendmail itself). A solution might be to use a .db database as someone suggested, as an authenticated reference owned by root or mail, accessed by sendmail and the prog mailer. A similar idea is configurable permissions for the prog mailer, in this case sendmail doesn't need to know of care about these, it just gets an error if it tries to ask unauthorized things. I don't know how easy it would be to make this secure, it's just an idea. My feeling is that it should be possible to define something more modular than sendmail, with only very few parts setuid inside. -- Pierre.Beyssac@hsc.fr
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Mutt.19970109153512.pb>