From owner-freebsd-security Thu Jan 9 07:35:29 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id HAA04681 for security-outgoing; Thu, 9 Jan 1997 07:35:29 -0800 (PST) Received: from nic.follonett.no (nic.follonett.no [194.198.43.10]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id HAA04667 for ; Thu, 9 Jan 1997 07:35:24 -0800 (PST) Received: (from uucp@localhost) by nic.follonett.no (8.8.3/8.8.3) with UUCP id QAA25341; Thu, 9 Jan 1997 16:34:01 +0100 (MET) Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.7.5/8.7.2) with SMTP id QAA01875; Thu, 9 Jan 1997 16:35:13 +0100 (MET) Message-Id: <3.0.32.19970109163513.009da930@dimaga.com> X-Sender: eivind@dimaga.com X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Thu, 09 Jan 1997 16:35:14 +0100 To: Pierre.Beyssac@hsc.fr (Pierre Beyssac) From: Eivind Eklund Subject: Re: sendmail running non-root SUCCESS! Cc: security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 03:35 PM 1/9/97 +0100, Pierre Beyssac wrote: >Rather, something sendmail would call by giving it a program name >and a user id to run it as. > >For example, supposing a ~user/.forward is > >\user, "| /home/user/bin/myownstuff" > >sendmail could process the .forward as usual, but it would >call the external prog mailer to ask it to run "/home/user/bin/myownstuff" >as "user" and pipe the mail to it. > >Obviously it has to be more complicated than that or it would >be a trivial new hole in the system (we can't rely on just checking >that sendmail is calling us, that would not make us immune to attacks >on sendmail itself). There is a trivial solution. Just make 'progmail' parse .forward too (could be compiled from the same source), and just take a user-id (and mail on stdin). No holes that I can see. Eivind Eklund / perhaps@yes.no / http://maybe.yes.no/perhaps/