Date: Fri, 30 Apr 1999 11:49:58 -0600 (MDT) From: Paul Hart <hart@iserver.com> To: Wojtek <sopel@nemezis.ipan.lublin.pl> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Does mail.local need to be setuid-root? Message-ID: <Pine.BSF.3.96.990430112635.28678C-100000@anchovy.orem.iserver.com> In-Reply-To: <Pine.BSF.4.05.9904301826460.62761-100000@nemezis.ipan.lublin.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 30 Apr 1999, Wojtek wrote:
> i think that mail.local is a real mess (there were various exploits for
> it). why not switch to a more decent mail distribution program
> (procmail ?) as a default for freebsd.
I for one would be very nervous if procmail were SUID/SGID on my system.
Have you ever looked at the sources to procmail? They are among the most
convoluted and aesthetically disturbing pieces of code I have ever seen.
And procmail is certainly not without its own problems, see for example:
http://geek-girl.com/bugtraq/1999_2/0031.html
http://geek-girl.com/bugtraq/1999_2/0043.html
http://geek-girl.com/bugtraq/1999_2/0040.html
> the other thing in question is - should sendmail be the default mail
> agent on freebsd ? there are many substitues for it which have proven
> to be more secure (postfix - by Wietse Venema, or zmailer, qmail, and so
> on..).
... all with a completely unproven track record, except for qmail perhaps.
Haven't we already gone to battle over this? I don't remember who won in
the sendmail versus the rest of the world battle, but this probably
doesn't belong on -security.
Paul Hart
--
Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc.
hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990430112635.28678C-100000>