Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 9 Jan 1997 15:35:12 +0100
From:      Pierre.Beyssac@hsc.fr (Pierre Beyssac)
To:        adam@homeport.org (Adam Shostack)
Cc:        Pierre.Beyssac@hsc.fr (Pierre Beyssac), giles@nemeton.com.au, lyndon@esys.ca, moke@fools.ecpnet.com, freebsd-security@FreeBSD.ORG
Subject:   Re: sendmail running non-root SUCCESS!
Message-ID:  <Mutt.19970109153512.pb@sidhe.hsc.fr>
In-Reply-To: <199701091347.IAA23487@homeport.org>; from Adam Shostack on Jan 9, 1997 08:47:03 -0500
References:  <Mutt.19970109114424.pb@sidhe.hsc.fr> <199701091347.IAA23487@homeport.org>

next in thread | previous in thread | raw e-mail | index | archive | help
According to Adam Shostack:
> Pierre Beyssac wrote:
> | IMHO, it might be a good idea to develop an external "prog" mailer.
> | It would handle all the setuid stuff required for mailing to programs.
> | 
> | Regarding the .forward stuff, I'm not sure sendmail really needs to be
> | setuid to handle that.
> 
> You mean something like procmail which can be setuid and does mail
> delivery?

Not exactly (though I don't know procmail well enough: maybe it
can do that too).

Rather, something sendmail would call by giving it a program name
and a user id to run it as.

For example, supposing a ~user/.forward is

\user, "| /home/user/bin/myownstuff"

sendmail could process the .forward as usual, but it would
call the external prog mailer to ask it to run "/home/user/bin/myownstuff"
as "user" and pipe the mail to it.

Obviously it has to be more complicated than that or it would
be a trivial new hole in the system (we can't rely on just checking
that sendmail is calling us, that would not make us immune to attacks
on sendmail itself).

A solution might be to use a .db database as someone suggested,
as an authenticated reference owned by root or mail, accessed
by sendmail and the prog mailer.

A similar idea is configurable permissions for the prog mailer,
in this case sendmail doesn't need to know of care about these,
it just gets an error if it tries to ask unauthorized things.

I don't know how easy it would be to make this secure, it's just an
idea. My feeling is that it should be possible to define something
more modular than sendmail, with only very few parts setuid inside.
-- 
Pierre.Beyssac@hsc.fr



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Mutt.19970109153512.pb>