Re: New vulnerability in Sendmail
'Christoph Lameter wrote:'
>
>On Wed, 20 Nov 1996, Chris Fearnley wrote:
>
>cjf >I can't identify anything that won't work. Even .forward files work
>cjf >since the incoming connections are handled by the sendmail process
>cjf >started by root in "/etc/init.d/sendmail start". I doubt world
>cjf >unreadable .forward's would work on a NFS mounted home directory (but
>cjf >that is the case anyway, right?).
>
>We use those .forwards heavily.
Do you mean .forwards. Or NFS mounted world unreadable .forwards? I
have verified that my configuration has no trouble with .forwards even
over NFS. But due to root-squashing on NFS, I think world unreadable
.forwards would fail on /all/ installations (even suid root sendmails).
>cjf >I think the above should be the default sendmail installation for
>cjf >Debian. Sysadmins who know what they are doing can make sendmail
>cjf >suid to root if they want. But the rest of us can't be expected to
>cjf >drop everything every time a hole is found in sendmail. Yet our
>cjf >businesses often depend on security.
>
>In that case you have a nonstandard installation. Usually sysadmins expect
>sendmail to be suid root and thus a security problem to keep an eye on.
>Tradition.
But a secure one!! I want to know what loss in functionality and/or
privacy my approach incurs. The sendmail docs say that you can run
sendmail without suid bits, but they imply that that inherently implies
a loss in functionality or privacy. I conjecture that the docs are
/wrong/. I conjecture that sgid mail bits on sendmail offer all the
functionality and privacy of suid root sendmail but without the
security holes. If I am right, then we /should/ be nonstandard. If I
am wrong, I want to know about it. Could someone specify what
disadvantage my approach incurs??? [When I get some time I'm going to
ask this on comp.mail.sendmail.]
>There are many tools that have some sort of interaction with sendmail. The
>nonsuid change might break some of those.
Which ones? I haven't found any loss of functionality.
>I have done it since a few years now learned to deal with it and I'd
>rather keep the traditional setup than risking breaking things in our
>rather complex setup here.
I think the sendmail postinst could ask: "SUID root sendmail is very
risky security-wise. The Debian default is to NOT install sendmail
SUID root. However, if your site needs one of the obscure sendmail
features that require the SUID bit say Y here. Add SUID bit to
sendmail binary [N/y]? " Would this satisy your conscerns while
satisfying the security conscerns of the rest of us?
I think virtually all suid programs in Debian should by default NOT
install suid. The postinst can add suid bits as a configuration
option. Of course, /bin/{passwd,chfn} and etc. must be installed suid
root. But any application that works without suid bits (such as
sendmail) should be installed without the suid bits and those bits
could be added by either the postinst or the sysadmin.
--
Christopher J. Fearnley | Linux/Internet Consulting
cjf@netaxs.com, cjf@onit.net | UNIX SIG Leader at PACS
http://www.netaxs.com/~cjf | (Philadelphia Area Computer Society)
ftp://ftp.netaxs.com/people/cjf | Design Science Revolutionary
"Dare to be Naive" -- Bucky Fuller | Explorer in Universe
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: