From owner-freebsd-security Sun May 5 04:37:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id EAA13007 for security-outgoing; Sun, 5 May 1996 04:37:11 -0700 (PDT) Received: from glitnir.cfar.UMD.EDU (glitnir.cfar.umd.edu [128.8.132.40]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id EAA13002 for ; Sun, 5 May 1996 04:37:09 -0700 (PDT) Received: by glitnir.cfar.UMD.EDU (8.7.5/UMIACS-0.9/04-05-88) id HAA29335; Sun, 5 May 1996 07:37:00 -0400 (EDT) Message-Id: <199605051137.HAA29335@glitnir.cfar.UMD.EDU> To: Thomas J Balfe cc: security@freebsd.org Subject: Re: sendmail In-reply-to: Your message of "Sat, 04 May 1996 16:53:49 -0000." Date: Sun, 05 May 1996 07:37:00 -0400 From: He Who Urges Ampersands Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 04 May 1996 16:53:49 -0000, tbalfe@tioga.com wrote: > I have recently compiled sendmail from cert.org. What I want to know, > does sendmail have to be mode 4555 to function correctly, or will be > function correctly as mode 555? Or even 4111? Sendmail runs as to deliver 's mail. In particular, if .forward runs any programs, you want them to run as that user. Otherwise you're opening up a security hole. So sendmail has to be able to set its euid, which means it has to run as root. If you run sendmail from inetd, or from /etc/rc.whatever, it'll run as root and your machine will be able to receive mail. If you make it setuid root, then J. Random Program can run sendmail to send mail to someone. If you make sendmail mode 555, then that will break. You can either try to fix all of the programs that break, or you can try to come up with a workaround (e.g., make /usr/lib/sendmail a program that simply talks to the local host's SMTP port; or make /etc/sendmail.cf use nullclient to forward mail to the local host, port 25, where it gets picked up by the version of sendmail that's running as root). As usual, if I'm wrong, I'm sure that a chorus of voices will rise up to correct me. -- Andrew Arensburger, Systems guy Center for Automation Research arensb@cfar.umd.edu University of Maryland Don't crush that dwarf, hand me the pliers.