From owner-freebsd-security  Sun Nov 17 20:46:45 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id UAA09304
          for security-outgoing; Sun, 17 Nov 1996 20:46:45 -0800 (PST)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id UAA09283
          for <freebsd-security@freebsd.org>; Sun, 17 Nov 1996 20:46:37 -0800 (PST)
Received: from rover.village.org [127.0.0.1] 
	by rover.village.org with esmtp (Exim 0.56 #1)
	id E0vPLaR-0003jx-00; Sun, 17 Nov 1996 21:45:35 -0700
To: newton@communica.com.au (Mark Newton)
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). 
Cc: batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co,
        freebsd-security@freebsd.org
In-reply-to: Your message of "Mon, 18 Nov 1996 13:42:43 +1030."
		<9611180312.AA15775@communica.com.au> 
References: <9611180312.AA15775@communica.com.au>  
Date: Sun, 17 Nov 1996 21:45:35 -0700
From: Warner Losh <imp@village.org>
Message-Id: <E0vPLaR-0003jx-00@rover.village.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <9611180312.AA15775@communica.com.au> Mark Newton writes:
: Garbage.  You can create the mailbox at the same time that you create
: the user (as part of the adduser script).  Set the mailbox's gid to
: "smtp" and run sendmail with the "smtp" gid (actually, I don't do this
: on our gateway machine at Communica:  Nobody ever logs in to it, nobody
: ever receives mail on it, sendmail is configured to forward "local" mail
: to an internal host;  special privileges to write local mailboxes aren't
: needed, so sendmail doesn't get them given to it).

And if that file is ever removed?  Then you are SOL.

: Removing shell escapes from .forward is, IMHO, of a similar league to
: disabling the functionality of .rhosts files.  Shell escapes are, and always
: have been, a feature which permits unaccountable abuses of security to
: provide "ease of use" which only a small subset of users really care about.

I'm sorry, but that is not an acceptible answer in a general purpose
OS.  What you do on your system is OK, but that is *NOT* a good reason
to remove sendmail from the base OS.  People expect the ability to run
whatever they please, or at least a subset selected by the admin.  In
order to do that, the mail agent must run as that person.  In order to
do that, the mail agent must either run a setuid program that is
accessible to the mail delivery agent (and likely others), or it must
run as root.

Your arguments are good for security in general, but they break too
many things for the general OS case.

I'm sorry, but saying "and if you disable these features, then your
mail agent doesn't need to run as root" is not a valid argument.
Finding a secure way to run your MTA to provide those features is a
better excersize.

: [ tomorrow's lesson:  Why does lpd run as root? ]

Most of the time it doesn't, at least on NetBSD and OpenBSD. :-)

Warner