From owner-freebsd-security  Sun Nov 17 19:45:45 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id TAA06161
          for security-outgoing; Sun, 17 Nov 1996 19:45:45 -0800 (PST)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA06156
          for <freebsd-security@freebsd.org>; Sun, 17 Nov 1996 19:45:37 -0800 (PST)
Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id TAA14598; Sun, 17 Nov 1996 19:44:30 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199611180344.TAA14598@salsa.gv.ssi1.com>
Date: Sun, 17 Nov 1996 19:44:30 -0800
In-Reply-To: newton@communica.com.au (Mark Newton)
       "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18,  1:17pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: newton@communica.com.au (Mark Newton), batie@agora.rdrop.com (Alan Batie)
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
Cc: imp@village.org, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co,
        freebsd-security@freebsd.org
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Nov 18,  1:17pm, Mark Newton wrote:
} Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
} sendmail really only needs root so that it can bind to the "privileged"
} port 25 when it's running in daemon mode.

Some flavors of sendmail close this socket when the load average gets
to high to refuse incoming mail, then re-open it later.

} If you frob filesystem permissions
} sufficiently you can get away without providing sendmail with root
} privileges by running it with a non-root uid out of inetd (which is,
} indeed, precisely what I have done with it here at Communica, where 
} sendmail runs as the unprivileged "smtp" user).

If your users run programs (like vacation) from their .forward files,
sendmail runs these processes under their uids.

If you're in an environment where no local delivery is done, then
you can hack sendmail to setuid(harmless) right after it fork()s,
which should eliminate a lot of the danger, though not the latest
problem :-(.

			---  Truck