From owner-freebsd-security  Thu Dec  3 09:45:21 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA00763
          for freebsd-security-outgoing; Thu, 3 Dec 1998 09:45:21 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA00660
          for <security@FreeBSD.ORG>; Thu, 3 Dec 1998 09:44:14 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id MAA12863;
	Thu, 3 Dec 1998 12:36:37 -0500 (EST)
Date: Thu, 3 Dec 1998 12:36:36 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Bill Woodford <woodford@cc181716-a.hwrd1.md.home.com>
cc: ML FreeBSD Security <security@FreeBSD.ORG>
Subject: Re: mail.local
In-Reply-To: <Pine.LNX.3.96.981203115141.7707B-100000@cc181716-a.hwrd1.md.home.com>
Message-ID: <Pine.BSF.3.96.981203123334.12137A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 3 Dec 1998, Bill Woodford wrote:

> | Could somebody remind me of outcome of removing suid bit from mail.local
> | discussion?
> 
> Hmmm, if you remove it, I believe local mail delivery will cease due to
> permission problems.

That is my memory of the conclusions, at least when sendmail is not
executing mail.local.  If sendmail is executing it (and sendmail is
running as root) then I think it does behave correctly, at least when
sendmail is running as a daemon.  I'm not sure if it behaves correctly
when sendmail is running setuid from a normal user account as invoked by,
say, pine.  My feeling is more and more that we should be using protocols
such as IMAP for mail access rather than try to fit everything into the
context of file system permissions, as that requires us to come up with
warped program behavior  (such as making more things setuid than actually
need to be :).  It might be interesting to rewrite an imap daemon to use
UNIX daemon sockets and ephemeral credential information to authenticate
the user, and similarly have a local SMTP-style domain socket also using
ephemeral data for authentication.  BSD (and other Unices also) provide us
with a lot of tools to make life easier than we actually take advantage of
:).

  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message