sendmail and suidness (or lack thereof)
I'm considering a change in the sendmail package to increase security -
this change may also windup being the default in later sendmail
distributions.
I'd appreciate comments (other than MTA flamewars please). I'll try
be both succinct, and yet provide enough information - a hard row to
hoe...
Glossary (will help reading if you have it first):
* mta - y'all know this one (Mail Transport Agent)
* msp - this be new (Mail Submission Processor - don't call it a
Mail Submission Agent, because that has its own meaning
defined by RFC 2476 - and supported by the mta)
The change is based upon the reasons sendmail has for root:
* bind to port 25 (could be done via authbind)
* calls to LDA (procmail, etc) that aren't suid root - no alternative
* read user's .forward - no alternative
* write to /var/spool/mqueue (could be sgid mail)
The basic idea is to have two binaries (likely the same binary in two
places - but thats not relevant):
* sm-mta (the part that needs root priviledges)
* sm-msp (the part that doesn't need root, but needs sgid mail)
And entails creating a new queue directory that'd be sgid mail
sm-mta would not be in the search order, not suid, not be world
readable/executable... owned and executed by root via todays
/etc/init.d/sendmail. It'd bind to port 25 and handle passing of mail
onto LDAs.
sm-msp (/usr/sbin/sendmail for compatability) would be sgid mail and
handle insertion of messages. If it can't immediately pass the message
onto sm-mta, it'd queue it in the new sgid mail spool.
It'd be rare that sm-mta didn't accept the message (and it'd be queued),
but none the less, there'd be need of either a cronjob, or an instance
of sm-msp to periodically dump the new queue to ms-mta.
This all would, of course, be transparent to the user - it should hit
primarily /etc/default/sendmail, /etc/init.d/sendmail, and
/usr/sbin/sendmailconfig from an adminstrator's point of view.
I'm implimenting this on my boxen for testing, and would welcome other
ideas, questions & complaints (again, pissing contests will be deleted
post haste).
--
Rick Nelson
Life'll kill ya -- Warren Zevon
Then you'll be dead -- Life'll kill ya
Reply to: