Re: Sendmail 8.7.5
'Rob Leslie wrote:'
>
>> I've compiled sendmail 8.7.5 and I've got it running suid-mail! [I
>> don't see any reason to run it suid-root --- especially given the
>> history of vulnerabilities.] Then again I've barely tested it.
>
>Interesting. I'd like to test this some.
Having sendmail suid-root, may require a suid-root mail-delivery
agent. Anyone know if procmail, deliver, and/or mail.local are written
to be secure as suid-root? procmail is already suid-root in Debian and
Red Hat, so I suspect it is the local mail delivery agent to use if we
opt to make sendmail suid-mail. Also, since .forward only works if it
is world-readable and your $HOME is world-executable, .procmailrc is
the preferred way to forward mail in a suid-mail sendmail world. None
of the > 2,000 customers at Net Access complained when we switched to
suid-mail sendmail. But it is a change from Unix tradition. I can't
think of any other disadvantages to running sendmail suid-mail,
sgid-mail.
All I did to make sendmail suid-mail was to fix the permissions on
/var/spool/mqueue and /var/spool/mail (I suppose /var/log/sendmail may
need to be setup too). Since I did it in a hurry, I probably gave too
much permission to these directories. I'll leave it to a Real guru to
specify the minimal directory permissions for sendmail to run
suid-mail, sgid-mail.
--
Christopher J. Fearnley | UNIX SIG Leader at PACS
cjf@netaxs.com | (Philadelphia Area Computer Society)
http://www.netaxs.com/~cjf | Design Science Revolutionary
ftp://ftp.netaxs.com/people/cjf | Explorer in Universe
"Dare to be Naive" -- Bucky Fuller | Linux Advocate
Reply to: