From owner-freebsd-security  Sun Nov 17 20:19:36 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id UAA07922
          for security-outgoing; Sun, 17 Nov 1996 20:19:36 -0800 (PST)
Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA07907
          for <freebsd-security@freebsd.org>; Sun, 17 Nov 1996 20:19:09 -0800 (PST)
Received: (from danny@localhost) by panda.hilink.com.au (8.7.6/8.7.3) id PAA07530; Mon, 18 Nov 1996 15:18:19 +1100 (EST)
Date: Mon, 18 Nov 1996 15:18:14 +1100 (EST)
From: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
To: Mark Newton <newton@communica.com.au>
cc: freebsd-security@freebsd.org
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
In-Reply-To: <9611180247.AA15359@communica.com.au>
Message-ID: <Pine.BSF.3.91.961118151334.279E-100000@panda.hilink.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk



On Mon, 18 Nov 1996, Mark Newton wrote:

> Of course, one of the main reasons why sendmail is so "dangerous" is that
> despite fifteen years of it-hurts-when-I-do-this style experience, we *still*
> run it as root!  Why do we do this?  Why does nobody understand that a UNIX
> process can't just gratuitously gain privileges unless some other privileged
> program gives them away?  Given sendmail's history, why do so many people
> still trust it with root privileges when it doesn't actually need them?!
> 
> sendmail really only needs root so that it can bind to the "privileged"
> port 25 when it's running in daemon mode.  If you frob filesystem permissions
> sufficiently you can get away without providing sendmail with root
> privileges by running it with a non-root uid out of inetd (which is,
> indeed, precisely what I have done with it here at Communica, where 
> sendmail runs as the unprivileged "smtp" user).

I've been thinking about this, too.  Why *does* sendmail need to run as root?
a) to bind to port 25 (fixable with inetd, and other ways)
b) to operate on the mail queue (fixable with a group 'mail' or somesuch)
c) to deliver local mail - nope, /usr/libexec/mail.local is suid root to 
   do this.

Are there any other reasons?

Danny