From owner-freebsd-security  Sun Nov 17 20:10:07 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id UAA07639
          for security-outgoing; Sun, 17 Nov 1996 20:10:07 -0800 (PST)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA07614
          for <freebsd-security@freebsd.org>; Sun, 17 Nov 1996 20:09:52 -0800 (PST)
Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id UAA14636; Sun, 17 Nov 1996 20:09:02 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199611180409.UAA14636@salsa.gv.ssi1.com>
Date: Sun, 17 Nov 1996 20:09:01 -0800
In-Reply-To: newton@communica.com.au (Mark Newton)
       "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 18,  1:42pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: newton@communica.com.au (Mark Newton), imp@village.org (Warner Losh)
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
Cc: batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co,
        freebsd-security@freebsd.org
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Nov 18,  1:42pm, Mark Newton wrote:
} Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
} Garbage.  You can create the mailbox at the same time that you create
} the user (as part of the adduser script).  Set the mailbox's gid to
} "smtp" and run sendmail with the "smtp" gid

Some MUAs delete empty mailboxes.  I think they're broken, but ...

} (actually, I don't do this
} on our gateway machine at Communica:  Nobody ever logs in to it, nobody
} ever receives mail on it, sendmail is configured to forward "local" mail
} to an internal host;  special privileges to write local mailboxes aren't
} needed, so sendmail doesn't get them given to it).

I'm in the process of building a machine with a very similar
configuration.  It'll help me sleep a lot better.

}  > or to a shell of that user's uid. 
} 
} You allow shell escapes?  I prefer an administrative model where the
} system administrator gets to decide who can run programs on the local
} host, rather than the users themselves.  You don't let pleb users create
} files in a system's cgi-bin directory, why should you let them run
} commands out of their .forward files?  Isn't sendmail a program used for
} transferring mail, rather than a program used to allow any user on the
} Internet to execute arbitrary commands on your system?

You can limit the damage by configuring sendmail to use smrsh so that
it can only run those programs that you believe are safe.

			---  Truck