sendmail and suidness (or lack thereof)

To: <debian-devel@lists.debian.org>
Subject: sendmail and suidness (or lack thereof)
From: Richard A Nelson <cowboy@vnet.ibm.com>
Date: Tue, 3 Apr 2001 23:27:15 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.33.0104032302040.14923-100000@back40>

I'm considering a change in the sendmail package to increase security -
this change may also windup being the default in later sendmail
distributions.

I'd appreciate comments (other than MTA flamewars please).  I'll try
be both succinct, and yet provide enough information - a hard row to
hoe...

Glossary (will help reading if you have it first):
  * mta - y'all know this one (Mail Transport Agent)
  * msp - this be new (Mail Submission Processor - don't call it a
          Mail Submission Agent, because that has its own meaning
          defined by RFC 2476 - and supported by the mta)

The change is based upon the reasons sendmail has for root:
  * bind to port 25 (could be done via authbind)
  * calls to LDA (procmail, etc) that aren't suid root - no alternative
  * read user's .forward - no alternative
  * write to /var/spool/mqueue (could be sgid mail)

The basic idea is to have two binaries (likely the same binary in two
places - but thats not relevant):
  * sm-mta (the part that needs root priviledges)
  * sm-msp (the part that doesn't need root, but needs sgid mail)
And entails creating a new queue directory that'd be sgid mail

sm-mta would not be in the search order, not suid, not be world
readable/executable... owned and executed by root via todays
/etc/init.d/sendmail.  It'd bind to port 25 and handle passing of mail
onto LDAs.

sm-msp (/usr/sbin/sendmail for compatability) would be sgid mail and
handle insertion of messages.  If it can't immediately pass the message
onto sm-mta, it'd queue it in the new sgid mail spool.

It'd be rare that sm-mta didn't accept the message (and it'd be queued),
but none the less, there'd be need of either a cronjob, or an instance
of sm-msp to periodically dump the new queue to ms-mta.

This all would, of course, be transparent to the user - it should hit
primarily /etc/default/sendmail, /etc/init.d/sendmail, and
/usr/sbin/sendmailconfig from an adminstrator's point of view.

I'm implimenting this on my boxen for testing, and would welcome other
ideas, questions & complaints (again, pissing contests will be deleted
post haste).
-- 
Rick Nelson
Life'll kill ya                         -- Warren Zevon
Then you'll be dead                     -- Life'll kill ya

Reply to:

Follow-Ups:
- Re: sendmail and suidness (or lack thereof)
  - From: Guus Sliepen <guus@sliepen.warande.net>
- Re: sendmail and suidness (or lack thereof)
  - From: Vincent Zweije <zweije@xs4all.nl>
- Re: sendmail and suidness (or lack thereof)
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: i386-only packages: porting bugs "wishlist"?
Next by Date: Re: chroot BIND Re: Task harden.
Previous by thread: Re: i386-only packages: porting bugs "wishlist"?
Next by thread: Re: sendmail and suidness (or lack thereof)
Index(es):
- Date
- Thread