From owner-freebsd-security  Sun Nov 17 20:46:37 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id UAA09281
          for security-outgoing; Sun, 17 Nov 1996 20:46:37 -0800 (PST)
Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA09261
          for <security@FreeBSD.ORG>; Sun, 17 Nov 1996 20:46:27 -0800 (PST)
Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.2/8.7.3) id PAA17729; Mon, 18 Nov 1996 15:16:22 +1030 (CST)
From: Michael Smith <msmith@atrad.adelaide.edu.au>
Message-Id: <199611180446.PAA17729@genesis.atrad.adelaide.edu.au>
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
In-Reply-To: <9611180435.AA17191@communica.com.au> from Mark Newton at "Nov 18, 96 03:05:38 pm"
To: newton@communica.com.au (Mark Newton)
Date: Mon, 18 Nov 1996 15:16:21 +1030 (CST)
Cc: security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL28 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Mark Newton stands accused of saying:
> Michael Smith wrote:
>  
>  > Mark's sense of warmth is perhaps slightly over-smug,
> 
> Have you ever known me to be any different? :-)

Ah well, I guess not.  (I guess my Pringle lease has expired too.  *sigh*)

> It would be foolish of me to argue to have it changed, though :-)

But no more foolish that many of your other crusades 8)

> That would have allowed a user to obtain a setuid shell owned by the
> "smtp" user by exploiting the latest bug.  While not as serious as a
> root shell, I'm still not wonderfully happy about the possibility.

Perhaps.  Still, I argue along similar lines to you; no users on mail
machines, no mail on user machines.  In fact, I think that shell accounts
have very little use in most environments.  (Teaching and development
are about the only two left IMHO.)

> Mark Newton                               Email: newton@communica.com.au

-- 
]] Mike Smith, Software Engineer        msmith@gsoft.com.au             [[
]] Genesis Software                     genesis@gsoft.com.au            [[
]] High-speed data acquisition and      (GSM mobile)     0411-222-496   [[
]] realtime instrument control.         (ph)          +61-8-8267-3493   [[
]] Unix hardware collector.             "Where are your PEZ?" The Tick  [[