From owner-freebsd-security Sun Nov 17 20:37:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA08729 for security-outgoing; Sun, 17 Nov 1996 20:37:40 -0800 (PST) Received: from offensive.communica.com.au (offensive-eth1.adl.communica.com.au [192.82.222.18]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA08686 for ; Sun, 17 Nov 1996 20:37:06 -0800 (PST) Received: from communica.com.au (frenzy.communica.com.au [192.82.222.65]) by offensive.communica.com.au (8.7.6/8.7.3) with SMTP id PAA14708; Mon, 18 Nov 1996 15:06:07 +1030 (CST) Received: by communica.com.au (4.1/SMI-4.1) id AA17191; Mon, 18 Nov 96 15:05:39 CDT From: newton@communica.com.au (Mark Newton) Message-Id: <9611180435.AA17191@communica.com.au> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: msmith@atrad.adelaide.edu.au (Michael Smith) Date: Mon, 18 Nov 1996 15:05:38 +1030 (CST) Cc: imp@village.org, newton@communica.com.au, batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@FreeBSD.ORG In-Reply-To: <199611180335.OAA17231@genesis.atrad.adelaide.edu.au> from "Michael Smith" at Nov 18, 96 02:05:04 pm X-Mailer: ELM [version 2.4 PL21] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Michael Smith wrote: > Mark's sense of warmth is perhaps slightly over-smug, Have you ever known me to be any different? :-) > but his point is > valid. In fact, if it were possible to be non-root and bind to port 25, That's a wonderful point: The only reason sendmail needs root to bind to port 25 as a daemon is because of the rather UNIX-centric view that TCP/IP ports less than 1024 can only be allocated by a privileged user. TCP/IP implementations on non-UNIX platforms disagree violently with this assumption, which makes the value of this "security" feature rather dubious. It would be foolish of me to argue to have it changed, though :-) > then sendmail could be run non-root in daemon mode and not be called from > cron (which Mark omitted to mention). That would have allowed a user to obtain a setuid shell owned by the "smtp" user by exploiting the latest bug. While not as serious as a root shell, I'm still not wonderfully happy about the possibility. - mark --- Mark Newton Email: newton@communica.com.au Systems Engineer Phone: +61-8-8373-2523 Communica Systems WWW: http://www.communica.com.au