Date: Wed, 16 Apr 1997 13:47:35 -0700 From: Pedro Giffuni <pgiffuni@fps.biblos.unal.edu.co> To: David Nugent <davidn@unique.usn.blaze.net.au> Cc: Warner Losh <imp@village.org>, Giles Lean <giles@nemeton.com.au>, "Jordan K. Hubbard" <jkh@time.cdrom.com>, hackers@freebsd.org Subject: Re: on the subject of changes to -RELEASEs... Message-ID: <33553AE7.23FD@fps.biblos.unal.edu.co> References: <199704120213.MAA10732@topaz.nemeton.com.au> <E0wG8AO-000081-00@rover.village.org> <19970416125329.34879@usn.blaze.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
David Nugent wrote: > > On Sat Apr 12 13:08:52 EST 1997, Warner Losh writes: > > In message <199704120213.MAA10732@topaz.nemeton.com.au> Giles Lean writes: > > [ use smrsh ] ...[linking procmail] > And, yes, it definitely must be there, regardless of what was claimed > earlier in this thread. > No, it shouldn't. Procmail is a local mailer .. a replacement for "mail", since smrsh shouldn't go under the local part of the sendmail.cf, it should only affect programs that the external mailer should invoke; those that are in user's .forward file. Including other programs onder the sm.bin dir can be a security hazard. I can be wrong on this one (I don't use procmail), but I sincerely doubt it because no one links mail under sm.bin. A patch for this would only affect our procmail port, anyway. I also insist that changing the default user can bring further security benefits. I'd have to verify the exact syntax (I'm not in UNIX right now), but under sendmail.cf there is somewhere a u## (where ## usually stands for root's user). The user here is by default root, because it's the only user all unix system have for sure. As pointed out in a CERT advisory, this user doesn't have to be root, it shouldn't have privileges and doesn't even require a shell. Changing this user controlled the security problem associated with sendmail 8.8.2 (if I'm not wrong). This changes are easily doable for new releases: I consider this issue very important, and if further doubts persist, they should be discussed in the security list. Pedro. > Regards, > > David Nugent - Unique Computing Pty Ltd - Melbourne, Australia > Voice +61-3-9791-9547 Data/BBS +61-3-9792-3507 3:632/348@fidonet > davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33553AE7.23FD>