Date: Mon, 18 Nov 1996 13:42:43 +1030 (CST) From: newton@communica.com.au (Mark Newton) To: imp@village.org (Warner Losh) Cc: newton@communica.com.au, batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Message-ID: <9611180312.AA15775@communica.com.au> In-Reply-To: <E0vPJrb-0003cC-00@rover.village.org> from "Warner Losh" at Nov 17, 96 07:55:10 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Warner Losh wrote:
> In message <9611180247.AA15359@communica.com.au> Mark Newton writes:
> : sendmail really only needs root so that it can bind to the "privileged"
> : port 25 when it's running in daemon mode. If you frob filesystem permissions
> : sufficiently you can get away without providing sendmail with root
> : privileges by running it with a non-root uid out of inetd (which is,
> : indeed, precisely what I have done with it here at Communica, where
> : sendmail runs as the unprivileged "smtp" user).
>
> I don't buy this. You need to be able to create a mailbox of an
> arbitrary user,
Garbage. You can create the mailbox at the same time that you create
the user (as part of the adduser script). Set the mailbox's gid to
"smtp" and run sendmail with the "smtp" gid (actually, I don't do this
on our gateway machine at Communica: Nobody ever logs in to it, nobody
ever receives mail on it, sendmail is configured to forward "local" mail
to an internal host; special privileges to write local mailboxes aren't
needed, so sendmail doesn't get them given to it).
> and then write to that mailbox with that user's uid,
No, write to the mailbox with the "smtp" gid (created for the purpose);
The mailbox will already be owned by the destination user as part of the
creation process.
Remember, I did say that appropriate filesystem permission frobbing was
necessary for this to work. Filesystem permissions for mail have never
been something we've needed to worry about before because sendmail's
bogus privilege level lets it ignore them all! This is the precise root
cause of all of sendmail's security bugs throughout its entire history.
> or to a shell of that user's uid.
You allow shell escapes? I prefer an administrative model where the
system administrator gets to decide who can run programs on the local
host, rather than the users themselves. You don't let pleb users create
files in a system's cgi-bin directory, why should you let them run
commands out of their .forward files? Isn't sendmail a program used for
transferring mail, rather than a program used to allow any user on the
Internet to execute arbitrary commands on your system?
Removing shell escapes from .forward is, IMHO, of a similar league to
disabling the functionality of .rhosts files. Shell escapes are, and always
have been, a feature which permits unaccountable abuses of security to
provide "ease of use" which only a small subset of users really care about.
> To do otherwise would introduce
> other security problems, some of which have been beat to death in the
> freebsd lists.
I don't geddit. You're suggesting that taking privileges sendmail doesn't
need away from it introduces more security problems than letting it run
as root 24 hours per day? Doesn't the CERT archive provide you with
ample emperical evidence to suggest that that claim is bogus?
If sendmail's security is broken, I'd prefer to limit the damage to
sendmail's realm of influence. Under the default configuration, if
sendmail's security is broken the entire system falls victim to the
attack. Personally, if someone is going to break into my gateway
host I'd prefer them to do it as the smtp user (cf. "nobody") rather
than the root user.
For the *extremely* small subset of tasks for which sendmail requires root
privileges to accomplish, I'd prefer to modify sendmail so that it can
accomplish them in a different way rather than just admit defeat and let
sendmail have the privileges on a permanent basis. Letting it have root
24 hours per day is, In My Humble Experience, just asking for trouble.
> What am I missing?
Compartmentalization, I think.
- mark
[ tomorrow's lesson: Why does lpd run as root? ]
---
Mark Newton Email: newton@communica.com.au
Systems Engineer Phone: +61-8-8373-2523
Communica Systems WWW: http://www.communica.com.au
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9611180312.AA15775>