Date: Mon, 25 Nov 1996 13:24:50 -0600 (CST) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: peter@taronga.com (Peter da Silva) Cc: hackers@freebsd.org Subject: Re: Replacing sendmail Message-ID: <199611251924.NAA15320@brasil.moneng.mei.com> In-Reply-To: <199611251740.LAA26515@bonkers.taronga.com> from "Peter da Silva" at Nov 25, 96 11:40:13 am
next in thread | previous in thread | raw e-mail | index | archive | help
> In article <199611250434.PAA27300@genesis.atrad.adelaide.edu.au>, > Michael Smith <msmith@atrad.adelaide.edu.au> wrote: > >I'd also appreciate input from anyone that can see a problem with having > >sendmail lying around but not running; if it's thought that this is still > >a security risk, then there should be a comment in the handbook section > >on mailer security suggesting that it be disabled (nuked, re-moded, etc.). > > Remoded. It'll still work to *send* mail if it's not running, and there > are convenient security holes there too. Absolutely agree; anything that is suid and is not being used should have the suid bits removed (at a minimum). That extends to other things as well. :-) Anybody want to write a little tool that "knows" how to do this, configurably? Maybe some mtree files plus a little menu widget. A quick inspection reveals that the following files (maybe more) are suid: /bin/rcp /sbin/dump /sbin/rdump /sbin/ping /sbin/restore /sbin/rrestore /sbin/route /sbin/shutdown /sbin/mount_msdos /usr/bin/cu /usr/bin/uucp /usr/bin/uuname /usr/bin/uustat /usr/bin/uux /usr/bin/suidperl /usr/bin/sperl4.036 /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/batch /usr/bin/chpass /usr/bin/chfn /usr/bin/chsh /usr/bin/ypchpass /usr/bin/ypchfn /usr/bin/ypchsh /usr/bin/keyinit /usr/bin/lock /usr/bin/login /usr/bin/passwd /usr/bin/yppasswd /usr/bin/quota /usr/bin/rdist /usr/bin/rlogin /usr/bin/rsh /usr/bin/su /usr/bin/crontab /usr/bin/lpq /usr/bin/lpr /usr/bin/lprm /usr/bin/newaliases /usr/bin/mailq /usr/bin/register /usr/libexec/uucp/uucico /usr/libexec/uucp/uuxqt /usr/libexec/mail.local /usr/sbin/mrinfo /usr/sbin/mtrace /usr/sbin/ppp /usr/sbin/pppd /usr/sbin/sendmail /usr/sbin/sliplogin /usr/sbin/timedc /usr/sbin/traceroute /usr/games/dm It seems to me that many of these are parts of various system "services" (UUCP, LPR, Mail, YP, rcmds). What might be way cool is a program that presents a menu such as System Services --------------- enabled A) Sendmail disabled B) UUCP disabled C) Printing enabled D) IIJ-PPP disabled E) sliplogin Etc. and allows you to turn each one on or off (basically fixing up the permissions). Just a thought, not a volunteer ;-) ... JG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199611251924.NAA15320>