Date: Mon, 18 Nov 1996 15:18:14 +1100 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Mark Newton <newton@communica.com.au> Cc: freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Message-ID: <Pine.BSF.3.91.961118151334.279E-100000@panda.hilink.com.au> In-Reply-To: <9611180247.AA15359@communica.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 18 Nov 1996, Mark Newton wrote: > Of course, one of the main reasons why sendmail is so "dangerous" is that > despite fifteen years of it-hurts-when-I-do-this style experience, we *still* > run it as root! Why do we do this? Why does nobody understand that a UNIX > process can't just gratuitously gain privileges unless some other privileged > program gives them away? Given sendmail's history, why do so many people > still trust it with root privileges when it doesn't actually need them?! > > sendmail really only needs root so that it can bind to the "privileged" > port 25 when it's running in daemon mode. If you frob filesystem permissions > sufficiently you can get away without providing sendmail with root > privileges by running it with a non-root uid out of inetd (which is, > indeed, precisely what I have done with it here at Communica, where > sendmail runs as the unprivileged "smtp" user). I've been thinking about this, too. Why *does* sendmail need to run as root? a) to bind to port 25 (fixable with inetd, and other ways) b) to operate on the mail queue (fixable with a group 'mail' or somesuch) c) to deliver local mail - nope, /usr/libexec/mail.local is suid root to do this. Are there any other reasons? Danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.961118151334.279E-100000>