From owner-freebsd-security  Tue Jun 11 12:23:06 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id MAA19586
          for security-outgoing; Tue, 11 Jun 1996 12:23:06 -0700 (PDT)
Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA19580
          for <security@freebsd.org>; Tue, 11 Jun 1996 12:23:04 -0700 (PDT)
Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id MAA21929; Tue, 11 Jun 1996 12:23:06 -0700
From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu>
Message-Id: <199606111923.MAA21929@kdat.calpoly.edu>
Subject: Re: setuid root sendmail vs. mode 1733 /var/spool/mqueue?
To: taob@io.org (Brian Tao)
Date: Tue, 11 Jun 1996 12:23:05 -0700 (PDT)
Cc: security@freebsd.org
In-Reply-To: <Pine.NEB.3.92.960609205024.8414G-100000@zap.io.org> from "Brian Tao" at Jun 9, 96 08:57:56 pm
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> I didn't want to reboot the shell servers just to chmod sendmail, I
> decided to chmod 1733 /var/spool/mqueue instead:
> 
> drwx-wx-wt  2 root  daemon  2560 Jun  9 20:52 /var/spool/mqueue
> 
>     This allows the non-root sendmails to queue outgoing messages, but
> prevents other users from snooping the mail spool (mailq is disabled
> here, and it looks like queue files are mode 600 anyway).
> 
>     The shell servers don't receive any mail themselves, and sendmail
> runs with a queue processing interval of 5 minutes.  Any comments on
> the validity of my actions?  It seems pretty safe to me, and it
> removes another setuid binary.

Cool.  You've gone from having a possible hole to having a definite, easily
exploited hole.  Let's say I did this:

cat > /var/spool/mqueue/qfXXwhatever
Croot
R<|/bin/sh>
...etc

Next time sendmail -q runs, it executes my commands as root.  Remember,
sendmail trusts inherently in the security of its queue file format.  That's
why the 8.6.9 newline bug was so nasty.

Think 1, 2, 3, 18 times before making such drastic changes.

-- 
Nate Lawson                  "There are a thousand hacking at the branches of
CPE Senior                    evil to one who is striking at the root."
CSL Admin                              -- Henry David Thoreau, 'Walden', 1854