Date: Thu, 21 Nov 1996 21:42:22 +1030 (CST) From: Peter Childs <pjchilds@imforei.apana.org.au> To: newton@communica.com.au (Mark Newton), freebsd-security@freebsd.org Cc: miff@spam.frisbee.net.au Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Message-ID: <199611211112.VAA27330@al.imforei.apana.org.au>
next in thread | raw e-mail | index | archive | help
In article <9611180435.AA17191@communica.com.au> you wrote: : Michael Smith wrote: : : > Mark's sense of warmth is perhaps slightly over-smug, : Have you ever known me to be any different? :-) : > but his point is : > valid. In fact, if it were possible to be non-root and bind to port 25, : That's a wonderful point: The only reason sendmail needs root to bind to : port 25 as a daemon is because of the rather UNIX-centric view that TCP/IP : ports less than 1024 can only be allocated by a privileged user. TCP/IP : implementations on non-UNIX platforms disagree violently with this : assumption, which makes the value of this "security" feature rather dubious. : It would be foolish of me to argue to have it changed, though :-) I'm just doing a little bit of poking and from what i can see all calls to bindresvport() go through bind() to the bind syscall. The bind syscall ends up in in_pcbbind (note pg 444 and 462 4.4BSD daemon book) and this bit does the check and returns EACCES on IPPORT_RESERVED && uid == root. Could an additional check in here just be used to check that if port requested is 25 and uid == mailmanager's uid then OK it? Am I missing something, or is this fairly trivial. It "seems" pretty hackish to do it in the kernel but as a "quick fix" would this do the job? Regards, Peter -- Peter Childs --- http://www.imforei.apana.org.au/~pjchilds Finger pjchilds@al.imforei.apana.org.au for public PGP key Drag me, drop me, treat me like an object!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611211112.VAA27330>