Date: Sun, 17 Nov 1996 21:45:35 -0700 From: Warner Losh <imp@village.org> To: newton@communica.com.au (Mark Newton) Cc: batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Message-ID: <E0vPLaR-0003jx-00@rover.village.org> In-Reply-To: Your message of "Mon, 18 Nov 1996 13:42:43 %2B1030." <9611180312.AA15775@communica.com.au> References: <9611180312.AA15775@communica.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <9611180312.AA15775@communica.com.au> Mark Newton writes: : Garbage. You can create the mailbox at the same time that you create : the user (as part of the adduser script). Set the mailbox's gid to : "smtp" and run sendmail with the "smtp" gid (actually, I don't do this : on our gateway machine at Communica: Nobody ever logs in to it, nobody : ever receives mail on it, sendmail is configured to forward "local" mail : to an internal host; special privileges to write local mailboxes aren't : needed, so sendmail doesn't get them given to it). And if that file is ever removed? Then you are SOL. : Removing shell escapes from .forward is, IMHO, of a similar league to : disabling the functionality of .rhosts files. Shell escapes are, and always : have been, a feature which permits unaccountable abuses of security to : provide "ease of use" which only a small subset of users really care about. I'm sorry, but that is not an acceptible answer in a general purpose OS. What you do on your system is OK, but that is *NOT* a good reason to remove sendmail from the base OS. People expect the ability to run whatever they please, or at least a subset selected by the admin. In order to do that, the mail agent must run as that person. In order to do that, the mail agent must either run a setuid program that is accessible to the mail delivery agent (and likely others), or it must run as root. Your arguments are good for security in general, but they break too many things for the general OS case. I'm sorry, but saying "and if you disable these features, then your mail agent doesn't need to run as root" is not a valid argument. Finding a secure way to run your MTA to provide those features is a better excersize. : [ tomorrow's lesson: Why does lpd run as root? ] Most of the time it doesn't, at least on NetBSD and OpenBSD. :-) Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0vPLaR-0003jx-00>