Re: sendmail and suidness (or lack thereof)
On Thu, 5 Apr 2001, Russell Coker wrote:
> > The change is based upon the reasons sendmail has for root:
> > * bind to port 25 (could be done via authbind)
>
> Also can be done by inetd as I did in ~1995.
True, but I already give the user the chance to run via inetd or not -
I'm talking about daemon processing
> > * calls to LDA (procmail, etc) that aren't suid root - no alternative
>
> You can tell sendmail to only use /var/spool/mail and make it group writable
> by group "mail".
>
> > * read user's .forward - no alternative
>
> .forward can be world-readable and the user's home directory can be mode 711.
Indeed, but thats an adminstrators call, there is no way for sendmail to
check that this is setup properly - only upon seeing the error messages
will the admin know something is amiss
> > sm-mta would not be in the search order, not suid, not be world
> > readable/executable... owned and executed by root via todays
> > /etc/init.d/sendmail. It'd bind to port 25 and handle passing of mail
> > onto LDAs.
>
> Why not have it run from inetd as some other user?
I give the user that chance, but spawing sendmail from inetd is clearly
non-optimal for alot of cases.
> > It'd be rare that sm-mta didn't accept the message (and it'd be queued),
> > but none the less, there'd be need of either a cronjob, or an instance
> > of sm-msp to periodically dump the new queue to ms-mta.
>
> For mail relay machines and for processing .forward files which deliver to
> outside machines you need to have "sendmail -q" run from cron.
Nope... this new critter is *only* involved in message injection - the
only deliveries it does are to the *real* sendmail queues.
> Also your cron job has to make sure that you don't have two copies
> running at the same time because things go bad then.
meaning what, I routinely start another queue runner, to speed up
delivery - works fine ;)
> > I'm implimenting this on my boxen for testing, and would welcome other
> > ideas, questions & complaints (again, pissing contests will be deleted
> > post haste).
>
> See my web page http://www.coker.com.au/~russell/sendmail.html . You seem to
> have covered most things that my web page covered, but you might find
> something of use.
> Incidentally this is the most popular of my web pages. I have been
> consistantly getting a minimum of 100 hits per week for 5 years.
Good stuff on your page ! The (slight) differences in our approach stem
from where their applied... I'll be changing the default installation
to something secure, and a few of your approaches can still be applied
ontop of that.
--
Rick Nelson
Life'll kill ya -- Warren Zevon
Then you'll be dead -- Life'll kill ya
Reply to: