Date: Mon, 18 Nov 1996 15:05:38 +1030 (CST) From: newton@communica.com.au (Mark Newton) To: msmith@atrad.adelaide.edu.au (Michael Smith) Cc: imp@village.org, newton@communica.com.au, batie@agora.rdrop.com, adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@FreeBSD.ORG Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Message-ID: <9611180435.AA17191@communica.com.au> In-Reply-To: <199611180335.OAA17231@genesis.atrad.adelaide.edu.au> from "Michael Smith" at Nov 18, 96 02:05:04 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Smith wrote:
> Mark's sense of warmth is perhaps slightly over-smug,
Have you ever known me to be any different? :-)
> but his point is
> valid. In fact, if it were possible to be non-root and bind to port 25,
That's a wonderful point: The only reason sendmail needs root to bind to
port 25 as a daemon is because of the rather UNIX-centric view that TCP/IP
ports less than 1024 can only be allocated by a privileged user. TCP/IP
implementations on non-UNIX platforms disagree violently with this
assumption, which makes the value of this "security" feature rather dubious.
It would be foolish of me to argue to have it changed, though :-)
> then sendmail could be run non-root in daemon mode and not be called from
> cron (which Mark omitted to mention).
That would have allowed a user to obtain a setuid shell owned by the
"smtp" user by exploiting the latest bug. While not as serious as a
root shell, I'm still not wonderfully happy about the possibility.
- mark
---
Mark Newton Email: newton@communica.com.au
Systems Engineer Phone: +61-8-8373-2523
Communica Systems WWW: http://www.communica.com.au
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9611180435.AA17191>